Malware Analysis Report

2024-11-30 11:28

Sample ID 241120-dg9khazekm
Target 88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe
SHA256 88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4
Tags
lockbit dragonforce defense_evasion discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4

Threat Level: Known bad

The file 88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe was found to be: Known bad.

Malicious Activity Summary

lockbit dragonforce defense_evasion discovery ransomware spyware stealer

DragonForce

Dragonforce family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 02:59

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 02:59

Reported

2024-11-20 03:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe"

Signatures

DragonForce

ransomware dragonforce

Dragonforce family

dragonforce

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6A5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6A5.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\6A5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe

"C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe"

C:\ProgramData\6A5.tmp

"C:\ProgramData\6A5.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6A5.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2196-0-0x0000000000440000-0x0000000000480000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

MD5 c50a16e376d32971654bb27c58323f69
SHA1 eda9d8a59de2ec37e881812737c39c7c1934de40
SHA256 545d345a17022eed72b0ae59a4d9caec5854718332499313834629cd0f742728
SHA512 df10e2ce0f83a6040cfe663784910c584d106f9a8f44b70c8d51422b838beb80845beedbdb52b055be2e04556cef22bb01d6a292beddb0c897cf061206d995db

C:\EUPTJQjet.README.txt

MD5 9ed6ef93375846fd5b14c04aaeb1d7a8
SHA1 ee0bd5951ee73108e0cc3b8ae713e6b26364effa
SHA256 ee059c1e1f464baad1d76e3c0efa14212f428215d8f0e48b1d7d747a753f54fc
SHA512 5f8c9bca8f8c8d916b81a8773efcc8746a5d70960db00768cd7f0f8a79d9431b335c09b94fead737dde463c6a89805aa937a7f5d1fb5e808944e70e04e5590f7

F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD

MD5 9feada396fce91d022c9be974f38aa8f
SHA1 0ac7ff06af1bff84428cd8291a513480b0aba4f7
SHA256 4247e317012e72a1e3303b3c0cca44279ba7d7bc88ad394145ef6cd54bd72579
SHA512 5ce2351729d02f83ff7cad27d9cec1a0068cf5ab74b4698e516932586d0edd7d4b06b1687e8e6e09ffa619db9fd6330bf599f0c1f4b0e6306558c89d12217380

\ProgramData\6A5.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2040-863-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2040-862-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2040-861-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2040-860-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2040-859-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 1822aa083e2d435ecdc1b4196f1a3dd7
SHA1 5ee162cd2b15ee86e1c0d25456bdd7d6648d66ce
SHA256 89773f8be0ac6c71b39d792f6cf003fc653a4cfef6e29388be984bc042ea136a
SHA512 3e5126ca44a75d08e64e08443b007dc358a40132160b4c0f17abbdd1c8a9fb2cbe45c0a016d40ab036032cdcb7641786ca7a465bd9e45825a4d5823345a5b649

memory/2040-893-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2040-892-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 02:59

Reported

2024-11-20 03:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe"

Signatures

DragonForce

ransomware dragonforce

Dragonforce family

dragonforce

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\E3C9.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\E3C9.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\E3C9.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP8e_00kk2jg4fuasgqn97w8_ud.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPblb71r8y9ft4quf1sjj70ksq.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPzirs7b4lecu7a2lk0k6g629db.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\E3C9.tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\Windows\splwow64.exe
PID 2908 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\Windows\splwow64.exe
PID 2084 wrote to memory of 5096 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2084 wrote to memory of 5096 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2908 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\ProgramData\E3C9.tmp
PID 2908 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\ProgramData\E3C9.tmp
PID 2908 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\ProgramData\E3C9.tmp
PID 2908 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe C:\ProgramData\E3C9.tmp
PID 1792 wrote to memory of 4624 N/A C:\ProgramData\E3C9.tmp C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4624 N/A C:\ProgramData\E3C9.tmp C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4624 N/A C:\ProgramData\E3C9.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe

"C:\Users\Admin\AppData\Local\Temp\88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9A9C22B5-6C7C-4DAD-8809-B5136FD82746}.xps" 133765452124350000

C:\ProgramData\E3C9.tmp

"C:\ProgramData\E3C9.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E3C9.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2908-2-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/2908-1-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/2908-0-0x00000000034A0000-0x00000000034B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\TTTTTTTTTTT

MD5 4cbf93bee308b69700118f8c6e08a1d3
SHA1 96affb566052e83d37cd89c4b7c639c3c7991da7
SHA256 2a0766dcf96d8a4acda75605ca71d8962ce2ff0888c6e263876e6d3559fdfd4d
SHA512 a88e8b7df76eed9e930ce76433547566c250de80e97125e95bbbe377b33922d73e2027295c0ae1a1ea5d0e7af81298b9d8a47d6d5716604aeccb84739ca20801

C:\EUPTJQjet.README.txt

MD5 faae3fb0bdcf38f5fedd5161617734de
SHA1 04f38abce4d9496a3fa1296ddae4b152ce7caf7d
SHA256 28353c9b16ae564f0667b99f87e5a8970dc8e5e8958b2e2184345bc4f3a57dda
SHA512 495094e63ec932250f9a85f5abcedfdc4f6cdc86719a08be38849aafd8f7ac024b62e4826f51fab8373e4bd36b3a5aa341f4ef090a549cc205ba39dfb69691a5

F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\DDDDDDDDDDD

MD5 06efdc2d773991c60bd574576dc41646
SHA1 42f82b5d525020220db5356d90363a14fe89e358
SHA256 317adcd2e6857053814795f4540def4331026c3b0ad5089a15092067d2363494
SHA512 d7684a976ce5c2e269bbf3854262d5526a4414da4d366f4bab525f0bd51baa4f3caa2e0bd979c49f1bdc1c57cf67173c8d741fac04b3e1d63c7b2d0ff7557a9a

memory/2908-2967-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/2908-2968-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/2908-2969-0x00000000034A0000-0x00000000034B0000-memory.dmp

C:\ProgramData\E3C9.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/5096-2985-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/5096-2986-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/5096-2987-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/5096-2988-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

memory/5096-2984-0x00007FFA179D0000-0x00007FFA179E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 4a3142209d9e53bf8effb43a6c88aa1e
SHA1 20ec2a69caeb80a01376e974a1d38240120a0f81
SHA256 176f1b27f23c9b03033d6f63ccc927f10f85f76feaf9a1856c0f25bced2d8962
SHA512 5cc063ca226856112bd6360a453e0818659ae35db981cbecff649bfcfd7b5fcfc05d6b550d02c389757819362c7d4fbb09bb63d7f54f3e2afcbd1f69716e11ad

memory/5096-3017-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

memory/5096-3018-0x00007FFA15970000-0x00007FFA15980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{981AED2A-1E98-4503-B81F-E7645F95498D}

MD5 7e6a363e44186ca738dbe2fff7b6f1fd
SHA1 dc0a67d5e9015bd9efad570fae28839cca6b147e
SHA256 9e8eb4d674084b29d5b22a9c3aad7f8988e442cd2a4e464558220ffb9fa114be
SHA512 7feeca5f9b33d6c88fb5c9e4217cdb9429d3051592cfac75403f2308f89cf3dad2404f4b2656979d0b4ab7cd1e93d70d2ae4b243669bb4c90e5b9b21e1b2a753

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 1abb5851d346bc67411391a0c66d1f8a
SHA1 0e7f200c8dde7d2d124dc7c91cb3f093e02fa086
SHA256 769107e5c83378cf101e499c3b7b966e6ce0699c8c6f6e0468d465de6dc0d74f
SHA512 aa6a8ffbe18b658e9c4891658ccaa61813a4799b3db170e292076a9569971a2d8934de051ecb2a36c9f492ca09fd9f94feb937001b1b2c39a4842ebbcbff2812