Malware Analysis Report

2025-06-15 20:11

Sample ID 230308-y6plvafg6z
Target LB3.bin.exe
SHA256 7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e

Threat Level: Known bad

The file LB3.bin.exe was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Modifies extensions of user files

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Uses Volume Shadow Copy service COM API

Modifies registry class

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 20:24

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 20:24

Reported

2023-03-08 20:26

Platform

win7-20230220-en

Max time kernel

75s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\AddUnpublish.png => C:\Users\Admin\Pictures\AddUnpublish.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ExitResolve.crw => C:\Users\Admin\Pictures\ExitResolve.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\GrantInitialize.png => C:\Users\Admin\Pictures\GrantInitialize.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantInitialize.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantRead.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\StartComplete.raw => C:\Users\Admin\Pictures\StartComplete.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddUnpublish.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitResolve.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\GrantRead.png => C:\Users\Admin\Pictures\GrantRead.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartComplete.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\784C.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\784C.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\ProgramData\784C.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe C:\ProgramData\784C.tmp
PID 2032 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe C:\ProgramData\784C.tmp
PID 2032 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe C:\ProgramData\784C.tmp
PID 2032 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe C:\ProgramData\784C.tmp
PID 2032 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe C:\ProgramData\784C.tmp
PID 1604 wrote to memory of 436 N/A C:\ProgramData\784C.tmp C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 436 N/A C:\ProgramData\784C.tmp C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 436 N/A C:\ProgramData\784C.tmp C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 436 N/A C:\ProgramData\784C.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe"

C:\ProgramData\784C.tmp

"C:\ProgramData\784C.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\784C.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\JJJJJJJJJJJ

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\OOOOOOOOOOO

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\KKKKKKKKKKK

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\LLLLLLLLLLL

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\MMMMMMMMMMM

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\NNNNNNNNNNN

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\AAAAAAAAAAA

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\BBBBBBBBBBB

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\CCCCCCCCCCC

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\DDDDDDDDDDD

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\EEEEEEEEEEE

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\FFFFFFFFFFF

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\GGGGGGGGGGG

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\HHHHHHHHHHH

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\IIIIIIIIIII

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\EEEEEEEEEEE

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\PPPPPPPPPPP

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\zvV4dTvWn.README.txt

MD5 8b4e923bc738bcbbffb8c99328117048
SHA1 9c9a73cb698db45e3fa1a1b8d4b0dc708d18d452
SHA256 ff1743a76e90714d58140ee8cca30df67d4e9c96590e454d03ee6d94e108816a
SHA512 7f484b197b74f7e235d1ddf85a0a47341175a71a8220e25b96a40713ff0f5bbf005458224eb999af3921b9ee5525d65bd96e65b74f3539fab9b3e1d38cd24f7b

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\QQQQQQQQQQQ

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\RRRRRRRRRRR

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

memory/2032-204-0x0000000000D70000-0x0000000000DB0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\SSSSSSSSSSS

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

memory/2032-249-0x0000000000D70000-0x0000000000DB0000-memory.dmp

memory/2032-206-0x0000000000D70000-0x0000000000DB0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\TTTTTTTTTTT

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\UUUUUUUUUUU

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\VVVVVVVVVVV

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\WWWWWWWWWWW

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\XXXXXXXXXXX

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\YYYYYYYYYYY

MD5 a2c6360b3e2cb0101254088a75596363
SHA1 cd0874114d27151ef1b5ea061a48fd003c0488d7
SHA256 77cdd8d6a2decb2f9426c7ffc366dfca89dda3636e11f331c09e9f39282d5239
SHA512 64176f74028013acbf6952298739bb9a685e5d750ed04fc092217eb4104f2c2ae7f9feea11f3fa2f43cab9d8bcbb086cfd400f8e62ae1625b9e5ea8dc31b2186

\ProgramData\784C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\784C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\784C.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDD

MD5 0a631b775d79a21d48e9599834e2a2e0
SHA1 d901a054bda90445a8adf604976dc7fc4cf32887
SHA256 f5fa33bad462c53405715226e056e685d2c113a9e6db23e3b7cde72259d4c50b
SHA512 c3e3161c75b39dc1618a7e3c54a062662fd2d3a457684c58df356f65036f6d94940515d81aae6cb02bb3e326ab83a466c5a8c08d22574249ee7bc748c598342e

memory/1604-895-0x0000000000475000-0x0000000000493000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 20:24

Reported

2023-03-08 20:26

Platform

win10v2004-20230220-en

Max time kernel

111s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SelectBlock.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ExportRestore.raw => C:\Users\Admin\Pictures\ExportRestore.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExportRestore.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReadSearch.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\OpenResolve.crw => C:\Users\Admin\Pictures\OpenResolve.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ReadSearch.tiff => C:\Users\Admin\Pictures\ReadSearch.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromBackup.png => C:\Users\Admin\Pictures\ConvertFromBackup.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromBackup.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\NewSend.raw => C:\Users\Admin\Pictures\NewSend.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\GrantOut.tif => C:\Users\Admin\Pictures\GrantOut.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenResolve.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectSearch.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ReadSearch.tiff C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\SelectBlock.tif => C:\Users\Admin\Pictures\SelectBlock.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantOut.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewSend.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectSearch.raw => C:\Users\Admin\Pictures\ProtectSearch.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\ProgramData\14E1.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\14E1.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP5_nolj735masavn8ykq2mr2k.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPfxpdmjdd_rk3uej8icjtn2q_b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP3ln458h_f5mrp217o3c02sf_c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\ProgramData\14E1.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.bin.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3C153C66-2D31-4ABF-82A6-3727ABAEDAA2}.xps" 133227842740610000

C:\ProgramData\14E1.tmp

"C:\ProgramData\14E1.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\14E1.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FR 40.79.141.152:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 93.184.220.29:80 tcp

Files

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini

MD5 8ae0015af9769fe3117de9ecec34a3d3
SHA1 50db1d9cdb6114b66ab39d59eae11157002489da
SHA256 861625062a06e02158646d871613c08e10a27c60f12eabbfe13e609d1d2690d7
SHA512 f491530e840093d381e41d3e5fe8a8d37ab0436f1c36df32825ea39648cf3ceed7dc113c4d7b7b6d5ee9ea3d82ec817ca71f69453e968f332c01ca7132f944b1

memory/1728-188-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1728-189-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1728-190-0x00000000027C0000-0x00000000027D0000-memory.dmp

C:\Users\Admin\zvV4dTvWn.README.txt

MD5 f4e01cd4975c53fcef0a39e1ea62d5f6
SHA1 da71928ed66f13c51bf688d17bf656ec401dbe86
SHA256 b5d5c3d25cdf958476bc0f8653092a7254d11742f7cd7bc2fb9057be7df08718
SHA512 f60af1776b953a4219d6d1b9d753868e2713d6a3041b9b94fa13285d986333e50263b554d65c5f240c72bb5ea4dced5215344e7b632145df25b735f724be1bad

memory/1728-2862-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1728-2863-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1728-2864-0x00000000027C0000-0x00000000027D0000-memory.dmp

C:\ProgramData\14E1.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\14E1.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\FFFFFFFFFFF

MD5 38cf85057a8f07debd9687fab2d9bf87
SHA1 9dd1c877721212c47bfb213fa253db24a214646e
SHA256 2d56e45e3d9fca00da43346f7361db370a5ce62f34f1772b9e532f04d7445634
SHA512 a482970074c9ed80340f05ac938eab8bc292d2c026c629a810e17f5b8da24412b06f40550072a7def6cad476581dc369424f9fc5354e5262e67805dc689e0996

memory/4776-2908-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/4776-2910-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/4776-2909-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/4776-2911-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/4776-2912-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

memory/4776-2913-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

memory/4776-2914-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8DFE9470-140F-44EF-985B-21C5F6F44F1F}

MD5 78bb63755a394f5b7a10856871467e06
SHA1 39375b73d6b8765ea5fe230555d7769487578390
SHA256 2fd16d468a35a10d87bde25b3cdaab32810f3f43ef4aa27b10d6ef1f79600956
SHA512 959a38058fd7ef14867fa3b49448ef0e63ae1f8e1b032ecc8a3b9260ecbe4435d6d89c88c81d1bcf09401379b87d59ddbe3e57fb96dd1b0b0ecd169d7aa70c63

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 2d2b9f40979d00417f3b5da96595d1d3
SHA1 2d75e843892dd45da1d4d0cb68bf6762a21054ba
SHA256 2bb09eb4ca62b7b1912811e6228593efdc7c6e9633320ef484aa5a8a742ccda5
SHA512 c24de92ac9c95eeabc11e0c25bb50ed84fd667426e1e90ad4395ea3c4e971ddcf21b3f11e79d967cf252459b2ea6727ce3541bfa6820fda92843e6e3ae94bfac