Malware Analysis Report

2025-06-15 20:14

Sample ID 230308-y6zrtagh32
Target LB3.bin
SHA256 7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a59f387a926696968bea7c8f891e79d7410c989bd6f20b77a3e5a2a29f0363e

Threat Level: Known bad

The file LB3.bin was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit

Modifies extensions of user files

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 20:24

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 20:24

Reported

2023-03-08 20:27

Platform

win7-20230220-en

Max time kernel

74s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RedoJoin.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\TraceUnpublish.tiff C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\TraceUnpublish.tiff => C:\Users\Admin\Pictures\TraceUnpublish.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\TraceUnpublish.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompareGroup.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\MergeRepair.tiff => C:\Users\Admin\Pictures\MergeRepair.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeRepair.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\RedoJoin.png => C:\Users\Admin\Pictures\RedoJoin.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\CompareGroup.raw => C:\Users\Admin\Pictures\CompareGroup.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeRepair.tiff C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\53BC.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\53BC.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\53BC.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\53BC.tmp
PID 2036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\53BC.tmp
PID 2036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\53BC.tmp
PID 2036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\53BC.tmp
PID 2036 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\53BC.tmp
PID 1248 wrote to memory of 524 N/A C:\ProgramData\53BC.tmp C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 524 N/A C:\ProgramData\53BC.tmp C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 524 N/A C:\ProgramData\53BC.tmp C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 524 N/A C:\ProgramData\53BC.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\ProgramData\53BC.tmp

"C:\ProgramData\53BC.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\53BC.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\AAAAAAAAAAA

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\BBBBBBBBBBB

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\CCCCCCCCCCC

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\DDDDDDDDDDD

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\DDDDDDDDDDD

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\EEEEEEEEEEE

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\FFFFFFFFFFF

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\GGGGGGGGGGG

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\HHHHHHHHHHH

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\IIIIIIIIIII

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\JJJJJJJJJJJ

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\KKKKKKKKKKK

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\TTTTTTTTTTT

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\SSSSSSSSSSS

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\RRRRRRRRRRR

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\QQQQQQQQQQQ

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\UUUUUUUUUUU

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\PPPPPPPPPPP

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\VVVVVVVVVVV

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\WWWWWWWWWWW

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\YYYYYYYYYYY

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\XXXXXXXXXXX

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\OOOOOOOOOOO

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\NNNNNNNNNNN

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\MMMMMMMMMMM

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\LLLLLLLLLLL

MD5 9908080cac7a026e60a85576869e52a3
SHA1 3f07a8f02ccd5ef60eb7d4fa192608149380ec30
SHA256 8025c0576f25d8c22d78a08d3abfff27a332f1bd90b117765141b22144544c37
SHA512 8c25e99412b77293f1eb2b3600d694a4cb681ff1bc00801ec88626d07dde22ee12fc126ace0e0a312086fd6e7df1fbafe88fc5d677bd826703cf8b8ecf41383c

C:\zvV4dTvWn.README.txt

MD5 88084f354b3823caa2cc27e996d78807
SHA1 f1797e83c6e3036829999bc8b301af97cdd68dae
SHA256 ec2ce1948ed1d1ae101dc875dbd12360df12b6ce4355c21b8a95776f9ff0ef6e
SHA512 873ee8ad0cdf9861d5ccc78e8c7e3997254bc54730e39e92db856199bbfd9c94bfdd48e2419480db3624c4bcba8d0b1cfaa65e3be8143c5d50d39965c171dea9

memory/2036-242-0x00000000023A0000-0x00000000023E0000-memory.dmp

memory/2036-234-0x00000000023A0000-0x00000000023E0000-memory.dmp

\ProgramData\53BC.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\53BC.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\53BC.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 6d6048f464f8ffa3701a8122bb96a58f
SHA1 73daf7283581bf7f7cfffa3278d1cce5a2a10e08
SHA256 fcfeed2e657251dc2b14ab89fb5a9f001d24a078580229c9b4e480a3cfaab0cf
SHA512 543e2f852aeaade0023be54ebf75311f32fe062898f94c5f9c1e3b2c47bbe4e6cb11433035cfe6cfcb84a00ae6512b4f82340fda427aa1919a10dc8f96948dd3

memory/1248-921-0x0000000000305000-0x0000000000323000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 20:24

Reported

2023-03-08 20:27

Platform

win10v2004-20230221-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\LockNew.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompareNew.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\DismountUnlock.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandProtect.raw => C:\Users\Admin\Pictures\ExpandProtect.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\LockNew.tiff C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\LockNew.tiff => C:\Users\Admin\Pictures\LockNew.tiff.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockConfirm.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountApprove.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExportOut.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\BlockConfirm.crw => C:\Users\Admin\Pictures\BlockConfirm.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\CompareNew.crw => C:\Users\Admin\Pictures\CompareNew.crw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\DismountUnlock.tif => C:\Users\Admin\Pictures\DismountUnlock.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandProtect.raw.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ExportOut.png => C:\Users\Admin\Pictures\ExportOut.png.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\MountApprove.tif => C:\Users\Admin\Pictures\MountApprove.tif.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\ProgramData\A9DD.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A9DD.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP_wybvt2b_vf6fge9gf2ho97f.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP2o968tbncll_4chlz90p6r3n.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP0s6ru48som40xv1gieg_v7ejd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\zvV4dTvWn.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\A9DD.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon\ = "C:\\ProgramData\\zvV4dTvWn.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zvV4dTvWn\ = "zvV4dTvWn" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zvV4dTvWn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9164A15A-7EB7-46A6-BFB0-9610A936262A}.xps" 133227843436640000

C:\ProgramData\A9DD.tmp

"C:\ProgramData\A9DD.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A9DD.tmp >> NUL

Network

Country Destination Domain Proto
US 8.248.1.254:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 141.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 142.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

memory/3088-163-0x0000000003250000-0x0000000003260000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

memory/3088-178-0x0000000003250000-0x0000000003260000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN

MD5 55951c96a5d0c8bb3dd83f70e1da6960
SHA1 e181b588b6487816b28d30abb3548f34951ccf23
SHA256 2614e8d6b0b573f69c4586341ee6a434d7f7197661feeb70508ead36e9090a2a
SHA512 2c5c7074d961053f9177d1190bd816a5a7f08289327a91f500fa462e046d3d370870bf5ade7f2f84a88c2174a544a71d85f06d4aff2a7720160bd7ac15e35614

memory/3088-165-0x0000000003250000-0x0000000003260000-memory.dmp

C:\zvV4dTvWn.README.txt

MD5 319938053272b30c649b9fe0acc209ff
SHA1 16a8c4bb0c587c9a6881a8411eedd849fa975361
SHA256 3d9c1bce282cb1fd67d84dc5f530aa2c42bc10c9c4f60854ff9e5c51ba054ea4
SHA512 250f54281f4689a7c929a3260fc776e7139ae96aab06a64877ccd371b6ca8816628583250cd415047ec64c0c7c30c285f542d554d9c650ecbff85d101c256f2f

memory/3088-2222-0x0000000003250000-0x0000000003260000-memory.dmp

memory/3088-2223-0x0000000003250000-0x0000000003260000-memory.dmp

memory/3088-2224-0x0000000003250000-0x0000000003260000-memory.dmp

C:\ProgramData\A9DD.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\A9DD.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\LB3.exe

MD5 44d283b0e3456c627eee66f289a8abdd
SHA1 7399efa0c8363c520bf0ab9b6bc90098124b3cdf
SHA256 610fc6d8384685d08052682b2c57ed6d866c6c0dc0bc27f1aa8ac65d5ff14ca2
SHA512 005a1ea408476e8c65ecf5dabd4f298f5a2c4fd0015af2cd04dc33c43589529449c5d0bf8d11030be0a0d8a527d46cda2702383b97bfdedee696fb23f9aebd60

memory/1416-2895-0x00007FF8DEE70000-0x00007FF8DEE80000-memory.dmp

memory/1416-2896-0x00007FF8DEE70000-0x00007FF8DEE80000-memory.dmp

memory/1416-2897-0x00007FF8DEE70000-0x00007FF8DEE80000-memory.dmp

memory/1416-2898-0x00007FF8DEE70000-0x00007FF8DEE80000-memory.dmp

memory/1416-2899-0x00007FF8DEE70000-0x00007FF8DEE80000-memory.dmp

memory/1416-2900-0x00007FF8DC540000-0x00007FF8DC550000-memory.dmp

memory/1416-2901-0x00007FF8DC540000-0x00007FF8DC550000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 8031f96b51aad7be70f46bb54347bff4
SHA1 6bf7ffcb83a8cf3424f9168df0b766c863908a65
SHA256 fa162a0f67a26ae017be6a28a3f2082b47f8483b271c80189b72df3ac69a4bfe
SHA512 37d9576ee05791bb192558c8520c1338c89d1b04499cf8a5960c631689f482572a3892d8007509042e1061de960e1ff3eac9c6467563064fe8777eab9bae0348