Analysis Overview
SHA256
5c6a887b673b372ffa7bedf473edf602031b605ebfbe4f715ed0256b4f6da0a1
Threat Level: Known bad
The file LB3_.bin was found to be: Known bad.
Malicious Activity Summary
Lockbit
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
Modifies extensions of user files
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-08 19:16
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-08 19:16
Reported
2023-02-08 19:19
Platform
win7-20221111-en
Max time kernel
128s
Max time network
99s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DisconnectUnregister.tiff => C:\Users\Admin\Pictures\DisconnectUnregister.tiff.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnterStart.tiff => C:\Users\Admin\Pictures\EnterStart.tiff.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetSave.tif => C:\Users\Admin\Pictures\ResetSave.tif.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisconnectUnregister.tiff | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupSet.tif.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisconnectUnregister.tiff.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnterStart.tiff | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnterStart.tiff.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResetSave.tif.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupSet.tif => C:\Users\Admin\Pictures\BackupSet.tif.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
| N/A | N/A | C:\ProgramData\361F.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\361F.tmp |
| PID 964 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\361F.tmp |
| PID 964 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\361F.tmp |
| PID 964 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\361F.tmp |
| PID 964 wrote to memory of 1544 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\361F.tmp |
| PID 1544 wrote to memory of 1220 | N/A | C:\ProgramData\361F.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 1220 | N/A | C:\ProgramData\361F.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 1220 | N/A | C:\ProgramData\361F.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 1220 | N/A | C:\ProgramData\361F.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\LB3_.exe
"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"
C:\ProgramData\361F.tmp
"C:\ProgramData\361F.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\361F.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
Network
Files
memory/964-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\AAAAAAAAAAA
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\CCCCCCCCCCC
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\FFFFFFFFFFF
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\HHHHHHHHHHH
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\GGGGGGGGGGG
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\EEEEEEEEEEE
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\DDDDDDDDDDD
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\BBBBBBBBBBB
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\IIIIIIIIIII
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\JJJJJJJJJJJ
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\KKKKKKKKKKK
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\LLLLLLLLLLL
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\MMMMMMMMMMM
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\NNNNNNNNNNN
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\OOOOOOOOOOO
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\PPPPPPPPPPP
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\QQQQQQQQQQQ
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\RRRRRRRRRRR
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\SSSSSSSSSSS
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\TTTTTTTTTTT
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\UUUUUUUUUUU
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\VVVVVVVVVVV
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\WWWWWWWWWWW
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\XXXXXXXXXXX
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\YYYYYYYYYYY
| MD5 | 9b0365f903943ae5b18e4c4791e9228f |
| SHA1 | c98977c8199a5c22b17adbda875a617b55ff91cb |
| SHA256 | 67bdeda66e606519513b6e8b0f1d41f7f1176e0858f2842d6f4d15208e2062c2 |
| SHA512 | eb95d71c8d0ef47a05336a6ab078fd9c8bfca256d5ac1566555b840b8ab09f06128e465e471f1a66ae92f314862547cca93e316aa317bf852984989dab2cdffb |
memory/964-81-0x0000000000225000-0x0000000000236000-memory.dmp
\ProgramData\361F.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/1544-83-0x0000000000000000-mapping.dmp
C:\ProgramData\361F.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\361F.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/1544-88-0x0000000000400000-0x0000000000407000-memory.dmp
memory/1220-87-0x0000000000000000-mapping.dmp
memory/1544-89-0x00000000003B5000-0x00000000003C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-08 19:16
Reported
2023-02-08 19:19
Platform
win10v2004-20220901-en
Max time kernel
90s
Max time network
152s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\PublishLimit.raw => C:\Users\Admin\Pictures\PublishLimit.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PublishLimit.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncImport.raw => C:\Users\Admin\Pictures\SyncImport.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SyncImport.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteSplit.raw => C:\Users\Admin\Pictures\CompleteSplit.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteSplit.raw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyOptimize.crw => C:\Users\Admin\Pictures\DenyOptimize.crw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyOptimize.crw.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\7D.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\HoBZnAfiW.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\HoBZnAfiW.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon\ = "C:\\ProgramData\\HoBZnAfiW.ico" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.HoBZnAfiW\ = "HoBZnAfiW" | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HoBZnAfiW\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
| N/A | N/A | C:\ProgramData\7D.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4868 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\7D.tmp |
| PID 4868 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\7D.tmp |
| PID 4868 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\7D.tmp |
| PID 4868 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3_.exe | C:\ProgramData\7D.tmp |
| PID 5096 wrote to memory of 996 | N/A | C:\ProgramData\7D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5096 wrote to memory of 996 | N/A | C:\ProgramData\7D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 5096 wrote to memory of 996 | N/A | C:\ProgramData\7D.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\LB3_.exe
"C:\Users\Admin\AppData\Local\Temp\LB3_.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\7D.tmp
"C:\ProgramData\7D.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7D.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp | |
| US | 8.253.183.120:80 | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\AAAAAAAAAAA
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\IIIIIIIIIII
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\VVVVVVVVVVV
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\YYYYYYYYYYY
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\UUUUUUUUUUU
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\TTTTTTTTTTT
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\SSSSSSSSSSS
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WWWWWWWWWWW
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\XXXXXXXXXXX
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\OOOOOOOOOOO
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\NNNNNNNNNNN
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\MMMMMMMMMMM
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\LLLLLLLLLLL
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\KKKKKKKKKKK
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\JJJJJJJJJJJ
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\HHHHHHHHHHH
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\FFFFFFFFFFF
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\EEEEEEEEEEE
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\DDDDDDDDDDD
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\CCCCCCCCCCC
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\BBBBBBBBBBB
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\QQQQQQQQQQQ
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RRRRRRRRRRR
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\GGGGGGGGGGG
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\PPPPPPPPPPP
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini
| MD5 | ae8f938fe1d8af419e4d2271d32f4f8f |
| SHA1 | 19aaab059b54fcdac9ee9ff73a4b14b94ca63e7a |
| SHA256 | 689529d01cd3fc0ca146ad2a37c32457abc62993629667f16d397aee779afc83 |
| SHA512 | a7ddb5027dccabaa241104763344c8ea7a24dba9bc1dd84c1b1e389575fa54f6da6299cf7dc14d6ace5d52f7ea87df7ebfa209cceab342d95b3fc34175cd364e |
memory/5096-158-0x0000000000000000-mapping.dmp
C:\ProgramData\7D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\7D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
memory/996-161-0x0000000000000000-mapping.dmp
memory/5096-162-0x0000000000400000-0x0000000000407000-memory.dmp