lockbit | 5e1d3c89c3992c19b03d6f0f553073a46b337d27cadcddfc63abfe06118fa8d5

Analysis

max time kernel
173s
max time network
175s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-06-2024 02:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LB3.exe
Size

153KB
MD5

917c73751f310ac3a09dd56b88baef90
SHA1

23a42392a2857b3fe74573197c4d1d819116d19f
SHA256

5e1d3c89c3992c19b03d6f0f553073a46b337d27cadcddfc63abfe06118fa8d5
SHA512

15b472715621158ad150aed6a6cce75dd8a4a1eee2f1b62f8d67596a336aac5d663198250e4439031fd1e56b6601618eac806da4d0bb062f454ef6d5be8dcac2
SSDEEP

3072:66glyuxE4GsUPnliByocWepEXGg7g+fACCmUSt:66gDBGpvEByocWexIgQ1lUSt

Score

10^/10

lockbit ransomware spyware stealer

Malware Config

Extracted

Path

C:\q4ZbIx1qb.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] >>>> Your personal DECRYPTION ID: 7D5E9DCC6033969972974E300ECBC798 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 XMPP (Jabber) Support: [email protected] [email protected] If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion Links for the normal browser http://lockbitapt.uz http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

Emails

[email protected]

URLs

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

http://lockbitapt.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly

https://twitter.com/hashtag/lockbit?f=live

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Renames multiple (517) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

9607.tmp

pid	Process
4928	9607.tmp

Executes dropped EXE 1 IoCs

Processes:

9607.tmp

pid	Process
4928	9607.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

LB3.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4106386276-4127174233-3637007343-1000\desktop.ini	LB3.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4106386276-4127174233-3637007343-1000\desktop.ini	LB3.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPh4xq7wslmy1alt_9mse5ej2j.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPwqj5d0avh7ej__tafksuraisb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPpit2dbh59f_jljtz4b03lc2gb.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

LB3.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\q4ZbIx1qb.bmp"	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\q4ZbIx1qb.bmp"	LB3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

LB3.exe9607.tmp

pid	Process
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
4928	9607.tmp

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXEchrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

LB3.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop	LB3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\WallpaperStyle = "10"	LB3.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640160265567142"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 6 IoCs

Processes:

OpenWith.exeLB3.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.q4ZbIx1qb	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.q4ZbIx1qb\ = "q4ZbIx1qb"	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\q4ZbIx1qb\DefaultIcon	LB3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\q4ZbIx1qb	LB3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\q4ZbIx1qb\DefaultIcon\ = "C:\\ProgramData\\q4ZbIx1qb.ico"	LB3.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

NOTEPAD.EXE

pid	Process
4284	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid	Process
5108	ONENOTE.EXE
5108	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

LB3.exeONENOTE.EXEchrome.exe

pid	Process
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
1992	LB3.exe
5108	ONENOTE.EXE
5108	ONENOTE.EXE
3076	chrome.exe
3076	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

9607.tmp

pid	Process
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp
4928	9607.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LB3.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeDebugPrivilege	1992	LB3.exe
Token: 36	1992	LB3.exe
Token: SeImpersonatePrivilege	1992	LB3.exe
Token: SeIncBasePriorityPrivilege	1992	LB3.exe
Token: SeIncreaseQuotaPrivilege	1992	LB3.exe
Token: 33	1992	LB3.exe
Token: SeManageVolumePrivilege	1992	LB3.exe
Token: SeProfSingleProcessPrivilege	1992	LB3.exe
Token: SeRestorePrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSystemProfilePrivilege	1992	LB3.exe
Token: SeTakeOwnershipPrivilege	1992	LB3.exe
Token: SeShutdownPrivilege	1992	LB3.exe
Token: SeDebugPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeBackupPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe
Token: SeSecurityPrivilege	1992	LB3.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe
3076	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

ONENOTE.EXEOpenWith.exeLogonUI.exe

pid	Process
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
5108	ONENOTE.EXE
2296	OpenWith.exe
2032	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LB3.exeprintfilterpipelinesvc.exe9607.tmpchrome.exe

description	pid	Process	procid_target
PID 1992 wrote to memory of 1912	1992	LB3.exe	76
PID 1992 wrote to memory of 1912	1992	LB3.exe	76
PID 5048 wrote to memory of 5108	5048	printfilterpipelinesvc.exe	78
PID 5048 wrote to memory of 5108	5048	printfilterpipelinesvc.exe	78
PID 1992 wrote to memory of 4928	1992	LB3.exe	79
PID 1992 wrote to memory of 4928	1992	LB3.exe	79
PID 1992 wrote to memory of 4928	1992	LB3.exe	79
PID 1992 wrote to memory of 4928	1992	LB3.exe	79
PID 4928 wrote to memory of 4236	4928	9607.tmp	80
PID 4928 wrote to memory of 4236	4928	9607.tmp	80
PID 4928 wrote to memory of 4236	4928	9607.tmp	80
PID 3076 wrote to memory of 4248	3076	chrome.exe	87
PID 3076 wrote to memory of 4248	3076	chrome.exe	87
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 5044	3076	chrome.exe	89
PID 3076 wrote to memory of 3688	3076	chrome.exe	90
PID 3076 wrote to memory of 3688	3076	chrome.exe	90
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91
PID 3076 wrote to memory of 3192	3076	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:1912
- C:\ProgramData\9607.tmp
  "C:\ProgramData\9607.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9607.tmp >> NUL
    3⤵
    PID:4236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
- Drops file in Windows directory
PID:3896

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8CD0396E-7E50-448B-BA90-6409EB1A00BF}.xps" 133640158996370000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\q4ZbIx1qb.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbe26e9758,0x7ffbe26e9768,0x7ffbe26e9778
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1824,i,16843480631551455060,994499571636696923,131072 /prefetch:8
  2⤵
  PID:1716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3afb855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4106386276-4127174233-3637007343-1000\YYYYYYYYYYY

Filesize
129B

MD5
bc79fc8fcacd7ca7a95127bed9898bbd

SHA1
86801fd6ad3aa102bed2a64b26f04efd242700fe

SHA256
c900a6a5c53fc321bf8f140c794a03e180c6eee1dfa5554df2d1b87fbb57c66c

SHA512
4b6c0dcac01c3d57ab29f79316f7f06bb4164f1a8c9823e9a89eff220303c1b77f817cc66b2598e84185bc7574ad9f176de7d9d9394bbf4cbe58a3e196c53656

Download Submit
C:\ProgramData\9607.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-660EA292-F3C.pma.q4ZbIx1qb

Filesize
4.0MB

MD5
62c31d2afeec42fa5a979ca9893921a2

SHA1
b8d484dd3e887abfdadaf472c28953da48382615

SHA256
49760b26ef2e4512bab0e228f1d227f933fcfe01af01118b263f6feac9e00462

SHA512
535e6aec5e0a392b5d5b48e5ae9fadc875d84b31bdedae2169c12eb94ce356e9a2b420d2d241eb217b1e71f63f776346d6959aa3f7b982e0611461b0b0128d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7f1bc69a2f247d8f3cf7c3b8119ce1f0

SHA1
5400f046975627879450b75e3163380f2626d57f

SHA256
497c7cf89db4d6cc969c0c29d3adc0fc403d38c4e8095abd27eb3b1f56fa1459

SHA512
b75f998b413102ba5201dfc413b82fbf1d4a1c44f9a0789831aa643df59cbb44188a92c80d6cf0d610e5d770cb5cd8d28bf0e692828592ec77682ca28582180b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cd29ab193d47952055125b68db44a7b8

SHA1
38136aee16db3667c617ef74f690071ff8d9cf35

SHA256
a31d045aecd10de3fdbfebaae0e825a483e354a0b42ac26041981e43acd1540c

SHA512
ddffcc9a496e7c80f0e007572924131ba27da25443bd5698a49dce247f402bb03ba4c349a68f7bc4bfeff320c6947bfcefe27e8c35a790796f86ec77ed1eba3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
a9564375b21562c020879e685d4a9400

SHA1
28f54f82a8a721216e134c7de7f7f70e6d5a32c8

SHA256
e6fab45af9c2b9576fe8c9e0113fe0f7c6ccf82dbc761ad7773a0e854e93a6b1

SHA512
7eb7eb13c54cc950ea1cca6c1bd0ba7ff4a0a1e9d2ba775fcbf7d7485c71007806d9ebf0ddac6b89ab57baee96992022fc514e0c7a9fd380655ab5a1c5c02ba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4fa54c45f2207a6740bebfba10a57dd6

SHA1
1cb3b7fea119d9acd64ba331a7fe799806d43b63

SHA256
111635fa9932405444e90e4a9b6dfd610f43dbc818829103aada4b1b234174fd

SHA512
d212d9beaef2d183627d8a8dd03c5ed98e92255c2e7fb21199b0f6a5405ae226984028021439981daa18538aa399153256008eaa9a9089ab9da1dc5ef871163f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
3e4611fb22f267b577af66cc75b2ba47

SHA1
d0bf637a27a64b0ec7267e8514a5bc170f8a7b2b

SHA256
3d3ca2a2781600c4c7c653ffba2ad60d984dc42135a913d1ed7b86a266d5ec4c

SHA512
78ff6cbf00026db6902d5599f9bb6153313d2a3beccbc6b10548e2b20c91447cea0e5fdfc972d605ea2856c1b5d13a4b1417439243d5daa87c043570bfdcb640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
0c1f415d643d98b85163c5a095e639aa

SHA1
4eec74f1bb6252c8f1daa11b1af40aef7d68d0d1

SHA256
451eaf6d36c6045e47fe0f8def51db544f816289eeba56f73c4d7e14d9657872

SHA512
306d657399ab7c58732452a12b8460b613291060e5161fcb90a91043525134153597a10cacf66a369a02ef088e0411ac8e7ee5dccc924b04a9ae938e0397d3f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State~RFe59714e.TMP

Filesize
947B

MD5
304ce838a103e70ab0824c891d171bb6

SHA1
702ddad570e5e4c0e27522174c1dfd8ac10b4087

SHA256
a003cfd76e6a1c6fa07e70cfbdc08fcb86562cc7b532d1f6e56e865316ea7146

SHA512
7091657a2e61c5aaa3fefd95ad16853e04d51d4cdd05fec51753626ac0e7af1c2e5222039671c91f88e68e790c7cddb07106cc00058a4320db5e5fd0e1ca97de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDD

Filesize
153KB

MD5
3e639791044eeb544b3ced79f0268568

SHA1
495e9f4ed511f5dadb43647a3833f719fc12de0a

SHA256
5f03ab9d4dd90a6097b15c765476058bac65145641e82d8242fb7f4cf9fbed73

SHA512
b7041b3b22998a2c3ed173234171d64eb9c0739640ce3aeb912f225b72fe83b416e2df9d56710e247be3cbd22123c8fc577dd15c379212576dd28cdd605f2509

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3CBE7C00-D2AC-45FE-9D11-059B9B879A3E}

Filesize
4KB

MD5
513d76da51093b0bab183d4be7bd2413

SHA1
14942b59e91bac6a569db75908a337afd185d69b

SHA256
d0fec3aab4cfbe3267cbe2d2936801f0a78e8d2f0b9f879bf2736d9e16f1840e

SHA512
b39396fc61083c7ae1a9b95e6bdcc187a6f6c128e258980bf96363e8ffdca828ed09e8022c658cf7f2dc148921155dd600e007495efa7cf6aa96e8cea7000687

Download Submit
C:\Users\Admin\AppData\Local\TileDataLayer\Database\EDB.chk

Filesize
8KB

MD5
6e57bb4080033b0724795513772ad6ff

SHA1
74a805d534afa29f6c7100c9865cd3fbfcf4eda4

SHA256
fda06a606c253d8eb1cb0817c0f07ca49a5c18dda2deba25b4cd783fe083785f

SHA512
ade97366680a7cbdd1fc4cb4bd140a1054f15f9c7954ee2af12149cf28fed7d39249960106f5bf7bd01ba7bfa245612f38cc82a07b64fcf00ac3890228a21a3c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
1c137b6b7f054dabbed5734da676f56c

SHA1
f6a24be5e0ca1c2ecb6eaefde639af37058ed6c1

SHA256
debf22cdf0e18435a0b18dd0ff0b6c46135b2a46d5cf85c1191f33acec66e509

SHA512
c6031241a35ab753157df464af0036eb57aaaf90ae453e8031e6cb8436c1565f6071c4c7addce303ea8d354227595fc3ec1f1b68f08c1bffd95ef77f42f0cf62

Download Submit
C:\q4ZbIx1qb.README.txt

Filesize
6KB

MD5
984aa9dfcc862552581151dbbf245ab7

SHA1
6bc23878b8d866f0c8fdec0dc2aa4663b9d34e6d

SHA256
84771b0fe7a0fe0f4be9a8e42449b58038747ef6cdd9e00ceace5b25e736f638

SHA512
3727f1b5fe8b2608b1b2109b88305da0696ba031f9f30cf0ec268fb5894333914bc9de018e988cd2183697f38de25982c2b55f0cf6d5ca5017ff34d1eb7e9e1e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4106386276-4127174233-3637007343-1000\DDDDDDDDDDD

Filesize
129B

MD5
440d1c6ac74e27c4d2eb8e3d334b45f6

SHA1
c78506fb5a8ff7722f9a97edb26dd481952d8944

SHA256
1405c663af7ff3b81be65385dc5e4a7f41168746a0e0273cb48e6b26b5d96ce6

SHA512
dc6181ae9679753c65173405c0489c9f8e31070a66ff417277ee19292d07791dddf21ddb87977bf3ff0b431888de42b1bdf2b2364a0cd56b2094d0aa5c7108d7

Download Submit
\??\pipe\crashpad_3076_NOJEGKMXNMVWZETJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1992-1-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/1992-2-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/1992-0-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/3896-2856-0x0000025288BC0000-0x0000025288BD0000-memory.dmp

Filesize
64KB

Download
memory/3896-3556-0x0000025288C70000-0x0000025288C71000-memory.dmp

Filesize
4KB

Download
memory/3896-3552-0x0000025288CA0000-0x0000025288CA1000-memory.dmp

Filesize
4KB

Download
memory/3896-3545-0x00000252892C0000-0x00000252892C1000-memory.dmp

Filesize
4KB

Download
memory/3896-2852-0x0000025288990000-0x00000252889A0000-memory.dmp

Filesize
64KB

Download
memory/3896-2868-0x000002528D880000-0x000002528D881000-memory.dmp

Filesize
4KB

Download
memory/3896-2867-0x000002528D860000-0x000002528D861000-memory.dmp

Filesize
4KB

Download
memory/3896-2865-0x00000252892C0000-0x00000252892C1000-memory.dmp

Filesize
4KB

Download
memory/3896-2863-0x0000025288CA0000-0x0000025288CA1000-memory.dmp

Filesize
4KB

Download
memory/5108-3392-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-2884-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-2918-0x00007FFBAB5B0000-0x00007FFBAB5C0000-memory.dmp

Filesize
64KB

Download
memory/5108-2885-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-2886-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-3389-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-3391-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-3390-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-2887-0x00007FFBAEA80000-0x00007FFBAEA90000-memory.dmp

Filesize
64KB

Download
memory/5108-2919-0x00007FFBAB5B0000-0x00007FFBAB5C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads