Malware Analysis Report

2025-06-15 20:15

Sample ID 230311-t8vhnaae47
Target Crypted.bin.exe
SHA256 6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71

Threat Level: Known bad

The file Crypted.bin.exe was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit

Modifies extensions of user files

Loads dropped DLL

Deletes itself

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-11 16:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-11 16:44

Reported

2023-03-11 16:46

Platform

win7-20230220-en

Max time kernel

97s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SetUse.crw => C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\GrantCompare.raw => C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\OpenSkip.tiff => C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\SaveNew.crw => C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\RestartProtect.tiff => C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenSkip.tiff C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteDeny.png => C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromShow.tif => C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A545.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A545.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\A545.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3\ = "ZQXLByuZ3" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon\ = "C:\\ProgramData\\ZQXLByuZ3.ico" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "Microsoft Outlook Recipient Control" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1\ = "131200" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID\ = "RECIP.RecipCtl.1" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5500" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version\ = "9.4" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB} C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\ = "1" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "1" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Control C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0\ = "Edit, 0, 2" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 2016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 1740 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 980 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\ProgramData\A545.tmp
PID 980 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\ProgramData\A545.tmp
PID 980 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\ProgramData\A545.tmp
PID 980 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\ProgramData\A545.tmp
PID 980 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\ProgramData\A545.tmp
PID 1768 wrote to memory of 340 N/A C:\ProgramData\A545.tmp C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 340 N/A C:\ProgramData\A545.tmp C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 340 N/A C:\ProgramData\A545.tmp C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 340 N/A C:\ProgramData\A545.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

C:\ProgramData\A545.tmp

"C:\ProgramData\A545.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A545.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/1740-54-0x0000000001F10000-0x000000000206A000-memory.dmp

memory/1740-60-0x0000000001F10000-0x000000000206A000-memory.dmp

memory/2016-61-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/2016-62-0x0000000001CD0000-0x0000000001E7C000-memory.dmp

memory/1740-63-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1740-65-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1740-66-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1740-67-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1740-68-0x0000000001F10000-0x000000000206A000-memory.dmp

memory/980-72-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-74-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-73-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-76-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-78-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-80-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-82-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/980-88-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1740-87-0x0000000001F10000-0x000000000206A000-memory.dmp

memory/1740-89-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/2016-90-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/980-91-0x0000000002120000-0x0000000002160000-memory.dmp

memory/980-92-0x0000000002120000-0x0000000002160000-memory.dmp

memory/980-93-0x0000000002120000-0x0000000002160000-memory.dmp

memory/980-94-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/980-96-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-126-0x0000000000400000-0x000000000042A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\JJJJJJJJJJJ

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\IIIIIIIIIII

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\AAAAAAAAAAA

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\BBBBBBBBBBB

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\CCCCCCCCCCC

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\FFFFFFFFFFF

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\GGGGGGGGGGG

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\HHHHHHHHHHH

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

memory/980-115-0x0000000000400000-0x000000000042A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\LLLLLLLLLLL

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\KKKKKKKKKKK

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\PPPPPPPPPPP

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\OOOOOOOOOOO

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\NNNNNNNNNNN

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\MMMMMMMMMMM

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\QQQQQQQQQQQ

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\RRRRRRRRRRR

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\SSSSSSSSSSS

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\TTTTTTTTTTT

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\VVVVVVVVVVV

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\UUUUUUUUUUU

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

memory/980-161-0x0000000000400000-0x000000000042A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\WWWWWWWWWWW

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\XXXXXXXXXXX

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

C:\ZQXLByuZ3.README.txt

MD5 aaaf0de3f4bcb9275ba225d0170e5486
SHA1 d6786a09d6c491cfa39ceaec9423d180601b0fb0
SHA256 f5a03bbada05402596d4c2872021fc0ff2951961c10e8a39426e663b2ff7bc57
SHA512 37382b17557d1aa0d194f5f82ea9431b71b6bb36c2f4ea9d1638ec7a0f5215c66b88419fd0f3b2435229467f14dcb38b55ce8f81116e44ea79da692acaa8cb96

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\YYYYYYYYYYY

MD5 371c83ca2832672edf54008036c3324d
SHA1 2386cfd52730aa062ccf4624daef0b1430a44720
SHA256 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6
SHA512 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998

memory/980-189-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-919-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-918-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-923-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-924-0x0000000000400000-0x000000000042A000-memory.dmp

memory/980-927-0x0000000002120000-0x0000000002160000-memory.dmp

memory/980-928-0x0000000002120000-0x0000000002160000-memory.dmp

memory/980-929-0x0000000002120000-0x0000000002160000-memory.dmp

\ProgramData\A545.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\A545.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\A545.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDD

MD5 051071bfe4fb1eac65b644d182a8f428
SHA1 1f671ca2d5d8efe42e19b84a7bcf907ff498a02f
SHA256 156b7cdff8b14fa4e6baf42539ad907481b9da62fbc7058415d2d0090f4b394e
SHA512 8c7011cafcac1ff415bb429f42a28d8b8e36c3938ae03311ae362e34a408150866b9848e9584bc5207404afb847b15424853bee6d9c42ae1cd0ef07ddd1f576e

memory/1768-969-0x0000000000245000-0x0000000000263000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-11 16:44

Reported

2023-03-11 16:46

Platform

win10v2004-20230221-en

Max time kernel

154s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\LimitReceive.raw => C:\Users\Admin\Pictures\LimitReceive.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\LimitReceive.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\MountUpdate.tif => C:\Users\Admin\Pictures\MountUpdate.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\SplitWait.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompressWatch.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromUse.png => C:\Users\Admin\Pictures\ConvertFromUse.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\InvokeExit.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitResolve.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromUse.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureRead.raw => C:\Users\Admin\Pictures\MeasureRead.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestUndo.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\MeasureRead.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\SplitWait.png => C:\Users\Admin\Pictures\SplitWait.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\WaitResolve.png => C:\Users\Admin\Pictures\WaitResolve.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\EditAdd.png => C:\Users\Admin\Pictures\EditAdd.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\EditAdd.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\FormatRepair.raw => C:\Users\Admin\Pictures\FormatRepair.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatRepair.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\TestUndo.tif => C:\Users\Admin\Pictures\TestUndo.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\CompressWatch.raw => C:\Users\Admin\Pictures\CompressWatch.raw.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountUpdate.tif.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File renamed C:\Users\Admin\Pictures\NewReset.png => C:\Users\Admin\Pictures\NewReset.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
File opened for modification C:\Users\Admin\Pictures\NewReset.png.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4992 set thread context of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB} C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon\ = "C:\\ProgramData\\ZQXLByuZ3.ico" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "Hide Selected Explorer Command" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3\ = "ZQXLByuZ3" C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3 C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
PID 4992 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 38.146.190.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/4244-133-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/4992-134-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/4992-135-0x00000000024B0000-0x000000000260A000-memory.dmp

memory/4992-141-0x00000000024B0000-0x000000000260A000-memory.dmp

memory/4992-143-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/4992-144-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/4992-146-0x00000000024B0000-0x000000000260A000-memory.dmp

memory/4992-145-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1348-150-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-151-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-152-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-153-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-154-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-155-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-158-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4244-159-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/4992-157-0x00000000024B0000-0x000000000260A000-memory.dmp

memory/4992-162-0x0000000010000000-0x00000000101AC000-memory.dmp

memory/1348-161-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-164-0x0000000000400000-0x000000000042A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

memory/1348-207-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1348-225-0x00000000024F0000-0x0000000002500000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

memory/1348-181-0x00000000024F0000-0x0000000002500000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini

MD5 68061510dff88e8f427db50ca0ebdab3
SHA1 9f966e257cf3d75b8eb1e8653e007271eac0e11c
SHA256 a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee
SHA512 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3

memory/1348-227-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-231-0x0000000000400000-0x000000000042A000-memory.dmp

C:\ZQXLByuZ3.README.txt

MD5 9c01d69e72dbf6b42d03fd97b2c13fdf
SHA1 f79bc79983152d43c8b7fbad069c60f2c8d0b070
SHA256 0b7b64a12f026fc15924b316edc023ed6256b5e7a48083dcba93511194a966c3
SHA512 90f9824dd9fb143ccddd0e58b7e7e4a3da0c32598a97bb6f52beddd3fd0ed502619bce0e417898670bc327d1e0d5d17b1a0632557010b235b8369be82a4112e8

memory/1348-947-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1348-948-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1348-949-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1348-2876-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-2879-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1348-2881-0x0000000000400000-0x000000000042A000-memory.dmp