Malware Analysis Report

2025-05-05 20:48

Sample ID 250421-hjpekatycv
Target 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
SHA256 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
Tags
lockbit braincipher defense_evasion discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

Threat Level: Known bad

The file 6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe was found to be: Known bad.

Malicious Activity Summary

lockbit braincipher defense_evasion discovery ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Brain Cipher

Lockbit family

Braincipher family

Checks computer location settings

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 06:46

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 06:46

Reported

2025-04-21 06:48

Platform

win10v2004-20250410-en

Max time kernel

103s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"

Signatures

Brain Cipher

ransomware braincipher

Braincipher family

braincipher

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation C:\ProgramData\A7D9.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A7D9.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A7D9.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\A7D9.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"

C:\ProgramData\A7D9.tmp

"C:\ProgramData\A7D9.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A7D9.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.16.67:80 c.pki.goog tcp

Files

memory/512-0-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/512-2-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/512-1-0x0000000002A00000-0x0000000002A10000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3027557611-1484967174-339164627-1000\desktop.ini

MD5 69ffd7c33f4691a203147e1e1942db75
SHA1 ab648aae0d9fd907176a12132509574d075ddb7b
SHA256 5183109229c57ae9fb1f14932dad1acde6369ea2173dcec8ce98604d14aedb4d
SHA512 b8c42858a92b111696648a9cb143a0991c0dc384c43e0b73cfdc980bde1559cbeed017b054b7a9e1d150d7f463a94ef70c3627d16fb2f131217106038617222a

F:\$RECYCLE.BIN\S-1-5-21-3027557611-1484967174-339164627-1000\DDDDDDDDDDD

MD5 0649dd56de9b6f9caadc2fbf70755cb6
SHA1 03ce1503cd3ec9d782ceecc5fbc82cf110941b35
SHA256 6cabdbe194a76c7cd4ca6ad1516d577de55bfc276364fe1b19a2927ed12a1baa
SHA512 a9227c6930e51bce4b29908421d35b087a6b539e14491ee431eecf60c50c102541152bddbfc4d02f25174ea66c0f3aa9715d1e73616e02df59d95be23cd1a07f

C:\flzQgniJJ.README.txt

MD5 3bebb5494e1c3d4753ce92a479e7eda5
SHA1 243685d0515d19210e4e2f354d367be6212e98ff
SHA256 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd
SHA512 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da

C:\ProgramData\A7D9.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/512-3634-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2244-3640-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2244-3639-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2244-3638-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/2244-3637-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/512-3635-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/512-3636-0x0000000002A00000-0x0000000002A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 e970c5f8e377591b1ec6ceda97897bc9
SHA1 caac1fa8e92b1582b24df6a846c5482cd55c6791
SHA256 74bb9761b0637294f6facc1d9103640b96d22ff3cf115957579a1233ea309a37
SHA512 3006f1ec88fec832de87992a12717ac358e78aaef368bca46fbe42fbdfe1c5d45ab3d2aede25944a361a13afc23e4557093bd736be11bc30a1efe31f6effac36

memory/2244-3669-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/2244-3670-0x000000007FE00000-0x000000007FE01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 06:46

Reported

2025-04-21 06:48

Platform

win11-20250410-en

Max time kernel

103s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"

Signatures

Brain Cipher

ransomware braincipher

Braincipher family

braincipher

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\AE51.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AE51.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-4239789418-2672923313-1754393631-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4239789418-2672923313-1754393631-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\AE51.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"

C:\ProgramData\AE51.tmp

"C:\ProgramData\AE51.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AE51.tmp >> NUL

Network

Files

memory/5440-0-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/5440-1-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/5440-2-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4239789418-2672923313-1754393631-1000\CCCCCCCCCCC

MD5 792ce97c733d78700ee4108087060fef
SHA1 e18208b0dc3cca5bb8a8e5e719dd0970f3a2a80f
SHA256 2f3179c017c3c193f3d3fdb8ffbe9034425e3a4be296c9e77dc4f525fc2d0967
SHA512 962ff754e81aea50c418964b8f3a00edee11e6ba7fb68f62e4421351f81a557c453b719a1c136cbb94b991259f470c07eb6730248c7181fc178e3e787ce00466

F:\$RECYCLE.BIN\S-1-5-21-4239789418-2672923313-1754393631-1000\DDDDDDDDDDD

MD5 42546b38b5aabeb1cbd129cb0debb898
SHA1 4d6292dd749423691d4c7841ee49fd4d830d9498
SHA256 2b329685ce86afacd031ae11e37b9ddca638d7a271f3f6485d4d9a45f5336ac8
SHA512 97fb33fbcd026bfeefad444db7e4f5ef85aedee83f9889390262b7f065b31cb71558f94a2850cea7c118f7aeb8a19240f17bd51dacd6b6b6851e174aa1031bd4

C:\flzQgniJJ.README.txt

MD5 3bebb5494e1c3d4753ce92a479e7eda5
SHA1 243685d0515d19210e4e2f354d367be6212e98ff
SHA256 13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd
SHA512 0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da

C:\ProgramData\AE51.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/5468-3571-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

memory/5468-3570-0x000000007FE50000-0x000000007FE51000-memory.dmp

memory/5468-3569-0x0000000002680000-0x0000000002690000-memory.dmp

memory/5468-3568-0x0000000002680000-0x0000000002690000-memory.dmp

memory/5468-3567-0x000000007FE70000-0x000000007FE71000-memory.dmp

memory/5440-3566-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 09dbbdd8e109019972ca73e323fb06eb
SHA1 642884fa2e69a3207d117bef7dd8414c395c7267
SHA256 3d12a0a8d03e2a3e6c0c15e2d681f6468ed732277d1bf7a6e73f5be96b970163
SHA512 945f3a3dabb1e59a8034aabed03dff79bdaf32a40966b067fb50ebffa3afd774363eee188e6fc616b4eff512abd2f985f2054d717e483d54773a7ccb4d6af7dd

memory/5468-3601-0x000000007FE30000-0x000000007FE31000-memory.dmp

memory/5468-3600-0x000000007FE10000-0x000000007FE11000-memory.dmp