File name:	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe
Full analysis:	https://app.any.run/tasks/f1fdefa0-c091-4470-b142-414995c9ac45
Verdict:	Malicious activity
Threats:	LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	August 01, 2025, 03:50:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	braincipher ransomware lockbit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	E990E7571CDB06C5D0F093176CECF414
SHA1:	409FC0816ADBF05AC1586112044401ECB90C8022
SHA256:	A18A6BACC0D8B1DD4544CDF1E178A98A36B575B5BE8B307C27C65455B1307616
SSDEEP:	3072:0mhXodguLP/5qUpfDT6zT73kZdjchgKPv9yRs3wG:MKzEZdgDPv9+GwG

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:09:09 01:27:01+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	99328
InitializedDataSize:	98816
UninitializedDataSize:	-
EntryPoint:	0x1946f
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(3488) ShellExperienceHost.exe	Key:	\REGISTRY\A\{c3b8c95c-b450-521d-fb34-8deb36d59564}\LocalState
Operation:	write	Name:	PeekBadges
Value: 5B005D000000FE5CCD719702DC01
(PID) Process:	(684) SearchApp.exe	Key:	\REGISTRY\A\{3b0e77d5-4cf6-ffa3-0677-11d4fe5d9acc}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 0000A3DB11A69702DC01
(PID) Process:	(684) SearchApp.exe	Key:	\REGISTRY\A\{3b0e77d5-4cf6-ffa3-0677-11d4fe5d9acc}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value: 0000A3DB11A69702DC01
(PID) Process:	(684) SearchApp.exe	Key:	\REGISTRY\A\{3b0e77d5-4cf6-ffa3-0677-11d4fe5d9acc}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 0000A3DB11A69702DC01
(PID) Process:	(684) SearchApp.exe	Key:	\REGISTRY\A\{3b0e77d5-4cf6-ffa3-0677-11d4fe5d9acc}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 4E006F006E0065000000A3DB11A69702DC01
(PID) Process:	(684) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\A1hdl50UVDh2ZbG324Nx-6fZgntcGnHOs5kHLdmaJYE\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Recognizers
Operation:	write	Name:	DefaultTokenId
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN
(PID) Process:	(684) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	IsMSACloudSearchEnabled
Value: 0
(PID) Process:	(684) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	IsAADCloudSearchEnabled
Value: 0
(PID) Process:	(684) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:	write	Name:	CortanaStateLastRun
Value: E6398C6800000000
(PID) Process:	(684) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting
Operation:	write	Name:	CachedFeatureString
Value:

PID	Process	Filename		Type
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\BBBBBBBBBBB		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\JJJJJJJJJJJ		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\MIuB4Jpci.README.txt		text
		MD5:B4709A56B9D7F431DA172316CDA720BE	SHA256:192D1E6078570865531E8A4C9840A483C4A2AC35FE468107284991F6DA813191
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\MMMMMMMMMMM		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\AAAAAAAAAAA		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\DDDDDDDDDDD		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\HHHHHHHHHHH		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\EEEEEEEEEEE		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\FFFFFFFFFFF		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9
6012	_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe	C:\$Recycle.Bin\S-1-5-18\CCCCCCCCCCC		binary
		MD5:022D602205278D7C98E08A3C0657A379	SHA256:78A4D1CF64554B2DD13AFAEE5A90ABFCB48A942DDA217F695AD256BD0B22E3E9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6900	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6900	RUXIMICS.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	92.123.104.38:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	2.97 Kb	whitelisted
—	—	GET	200	92.123.104.32:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	binary	21.3 Kb	whitelisted
—	—	GET	200	92.123.104.34:443	https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init	unknown	html	132 Kb	whitelisted
—	—	GET	200	92.123.104.32:443	https://www.bing.com/rb/16/jnc,nj/-M-8YWX0KlEtdAHVrkTvKQHOghs.js?bu=Dicwe4sBkgGVAYgBgQGFAcABwwEwuAHGAQ&or=w	unknown	binary	22.0 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6900	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6900	RUXIMICS.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6900	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.6 23.216.77.28 23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
self.events.data.microsoft.com	20.189.173.25	whitelisted
www.bing.com	104.126.37.163 104.126.37.131 104.126.37.128 104.126.37.145 104.126.37.139	whitelisted
login.live.com	40.126.31.71 40.126.31.1 20.190.159.131 20.190.159.64 20.190.159.130 20.190.159.128 20.190.159.68 40.126.31.128	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	20.165.94.63 52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

General Info

_a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616.exe

E990E7571CDB06C5D0F093176CECF414

409FC0816ADBF05AC1586112044401ECB90C8022

A18A6BACC0D8B1DD4544CDF1E178A98A36B575B5BE8B307C27C65455B1307616

3072:0mhXodguLP/5qUpfDT6zT73kZdjchgKPv9yRs3wG:MKzEZdgDPv9+GwG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Known privilege escalation attack

LOCKBIT icon has been detected

BRAINCIPHER has been detected

Renames files like ransomware

RANSOMWARE has been detected

[YARA] LockBit is detected

SUSPICIOUS

Write to the desktop.ini file (may be used to cloak folders)

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Creates files in the program directory

Creates files or folders in the user directory

Create files in a temporary directory

Reads the software policy settings

Process checks computer location settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings