Malware Analysis Report

2024-11-30 11:28

Sample ID 241121-zjwbjsxmhy
Target 0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
SHA256 0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
Tags
lockbit defense_evasion discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

Threat Level: Known bad

The file 0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194 was found to be: Known bad.

Malicious Activity Summary

lockbit defense_evasion discovery ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (594) files with added filename extension

Renames multiple (341) files with added filename extension

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Modifies registry class

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 20:45

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 20:45

Reported

2024-11-21 20:47

Platform

win7-20241023-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe"

Signatures

Renames multiple (341) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\537D.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\537D.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\537D.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe

"C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe"

C:\ProgramData\537D.tmp

"C:\ProgramData\537D.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\537D.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2800-0-0x0000000000070000-0x00000000000B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini

MD5 7703d9be3ab1f0bd351220d20840e2e9
SHA1 3ac1eb87dd2a9fb1a14022182fcfc8a7afa48249
SHA256 ba09084d4c6a0436ecd151875af36c006945392393dd638f602dd0fbc004f269
SHA512 98a38dd950f4e725a970e5bf3dbec0518d00268511dc0babc16b4c0a81bff0581409ea0d81b5eb444d2c2f60f3b0f72a3f6e05bbc2845c6216c6928b3434b4f6

F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\DDDDDDDDDDD

MD5 53bd1545ff5e6c696e9022c2aa35c68d
SHA1 29ab7aa6d8c5dfa519bbadc4637bd184b41d5638
SHA256 c0ace879f796f550461360e48db63289e37dbda678ef56aee5a283ccae087eb9
SHA512 340af14f0bf8da6227c11d30327005b671bfe4493081761514630c3f1ebd43a97ca9f69e58712a9c6e46e6ae11e52666ffcedb6cf43912c80ce7816cbca3158c

C:\AFfGduKAp.README.txt

MD5 8ab02fa258c4a37f117d291ea2961749
SHA1 ab4233853da5b1f0607fb7dd960a4074a5932f57
SHA256 d06a43337366deab4b78bcf85ba92efb705a0e8391198367091d3e6ad16d036d
SHA512 a3f8c6c1aada2584214deb6fc9dc4ffed3a3650f5cf839276bb826e047ad545f981b8873a0a2b58191ee3d1f4e7fbdb148dfc5df3591b9c55e36351327a27cd4

\ProgramData\537D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1120-874-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1120-875-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1120-873-0x0000000000240000-0x0000000000280000-memory.dmp

memory/1120-872-0x0000000000240000-0x0000000000280000-memory.dmp

memory/1120-871-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 96270d5f3031c08ea788f56085b6c2ac
SHA1 cb94a7b402222e7a4666a48b7853b96694c0c880
SHA256 858b24aa1b44193550a9d717dbc96f00b260e79017e130b8578440ab3fc31618
SHA512 d393fcaa4882181d33e8a9ddf8908adf5451845c36a5ef3cd85c51db3dbe3f431aa3595e2fa345af7bf3c478c1e9ab4e6e0982c107dc6e3a2490055735005d82

memory/1120-905-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1120-904-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 20:45

Reported

2024-11-21 20:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe"

Signatures

Renames multiple (594) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\A6BF.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A6BF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A6BF.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\A6BF.tmp N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe

"C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe"

C:\ProgramData\A6BF.tmp

"C:\ProgramData\A6BF.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A6BF.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2228-2-0x0000000002540000-0x0000000002550000-memory.dmp

memory/2228-1-0x0000000002540000-0x0000000002550000-memory.dmp

memory/2228-0-0x0000000002540000-0x0000000002550000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\BBBBBBBBBBB

MD5 f8134cc6774db8a4151d2298194e35bc
SHA1 3f6d79958e8f596cec17ea156cbc3bf7fb6fd5d9
SHA256 dea7910628c4d1e755cc8e48e6f14f36356533884dc2e736501dd4e8c2de3676
SHA512 fd885a5432d2265ef460446fb8bcaebc5a264ff0a5532d50bd71145c77547848d33af0bdc6989fe2ee4df80602fe83cbee1cb64bb89e21b5bc22be2598eedda5

F:\$RECYCLE.BIN\S-1-5-21-940901362-3608833189-1915618603-1000\DDDDDDDDDDD

MD5 717c328e4523dc99db4f2e084812f610
SHA1 151b5efdafe846e22d06fdb09ebcac6c062afe43
SHA256 129490dd30a95cdb714a7f27e4229de9f5416dab474de9013a4049250ea5faa0
SHA512 17f4b9d9ba87bd58c1ce724ab2c981854e80fc407c545513611f06ee015be0372f91c21209504d8bda39cc917a64ba07120f64d9a332c8833c2b5ff215a1805f

C:\AFfGduKAp.README.txt

MD5 b428db0c87e45f5d763d279208a12b5c
SHA1 e720801e25a15ce1eed49406b2909ecf039c2e4d
SHA256 cc0ed5270884cb39e945d398355c837b9a27a7a76a81bcec3d90424a78246972
SHA512 0f2aea1fb3ae3e3bfbd09589765777e08f537d7ea7aa9859c311647437753465121f085641163a9f4e5544b5c48f3d559435f64a18546a09f2a1e1bd5059c180

C:\ProgramData\A6BF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2228-2981-0x0000000002540000-0x0000000002550000-memory.dmp

memory/4004-2980-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/4004-2979-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4004-2978-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/4004-2977-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2228-2976-0x0000000002540000-0x0000000002550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

MD5 0e3b31c654871c0cf7bacfd32f033737
SHA1 d54dd724dc2106c758c1e0b133c435b1daf2a3d0
SHA256 46830af0a99a87f3c913b989699c40212da5eb635d5611f9057dac95fb89c8ce
SHA512 264ce6e7d31f71cb24d3276362d2f9b3b856fe52d5b0e9a9053fdd31aa0fec3f12e7af80ea3d8c1cb2bcadbd600aef6e4c3835364c03d74e41fe563557f4ad7f

memory/4004-3010-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/4004-3011-0x000000007FE00000-0x000000007FE01000-memory.dmp