Analysis Overview
SHA256
6375e7e4c7cdc3f96afd991c4dfedd5cdfe4b31bf0662dccfa703c117e951f71
Threat Level: Known bad
The file Crypted.bin.exe was found to be: Known bad.
Malicious Activity Summary
Lockbit
Modifies extensions of user files
Loads dropped DLL
Deletes itself
Checks BIOS information in registry
Reads user/profile data of web browsers
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-11 16:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-11 16:44
Reported
2023-03-11 16:46
Platform
win7-20230220-en
Max time kernel
97s
Max time network
58s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SetUse.crw => C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetUse.crw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantCompare.raw => C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestartProtect.tiff | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenSkip.tiff => C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveNew.crw => C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestartProtect.tiff => C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestartProtect.tiff.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GrantCompare.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenSkip.tiff | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OpenSkip.tiff.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SaveNew.crw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompleteDeny.png => C:\Users\Admin\Pictures\CompleteDeny.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromShow.tif => C:\Users\Admin\Pictures\ConvertFromShow.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ZQXLByuZ3.bmp" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3\ = "ZQXLByuZ3" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon\ = "C:\\ProgramData\\ZQXLByuZ3.ico" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "Microsoft Outlook Recipient Control" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1\ = "131200" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID\ = "RECIP.RecipCtl.1" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5500" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version\ = "9.4" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB} | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\ = "1" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "1" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Control | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ProgID | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Verb\0\ = "Edit, 0, 2" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Version | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
| N/A | N/A | C:\ProgramData\A545.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
C:\ProgramData\A545.tmp
"C:\ProgramData\A545.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A545.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
Network
Files
memory/1740-54-0x0000000001F10000-0x000000000206A000-memory.dmp
memory/1740-60-0x0000000001F10000-0x000000000206A000-memory.dmp
memory/2016-61-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/2016-62-0x0000000001CD0000-0x0000000001E7C000-memory.dmp
memory/1740-63-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1740-65-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1740-66-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1740-67-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1740-68-0x0000000001F10000-0x000000000206A000-memory.dmp
memory/980-72-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-74-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-73-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-76-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-78-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-80-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-82-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/980-88-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1740-87-0x0000000001F10000-0x000000000206A000-memory.dmp
memory/1740-89-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/2016-90-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/980-91-0x0000000002120000-0x0000000002160000-memory.dmp
memory/980-92-0x0000000002120000-0x0000000002160000-memory.dmp
memory/980-93-0x0000000002120000-0x0000000002160000-memory.dmp
memory/980-94-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/980-96-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-126-0x0000000000400000-0x000000000042A000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\JJJJJJJJJJJ
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\IIIIIIIIIII
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\AAAAAAAAAAA
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\BBBBBBBBBBB
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\CCCCCCCCCCC
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\FFFFFFFFFFF
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\GGGGGGGGGGG
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\HHHHHHHHHHH
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
memory/980-115-0x0000000000400000-0x000000000042A000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\LLLLLLLLLLL
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\KKKKKKKKKKK
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\PPPPPPPPPPP
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\OOOOOOOOOOO
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\NNNNNNNNNNN
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\MMMMMMMMMMM
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\QQQQQQQQQQQ
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\RRRRRRRRRRR
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\SSSSSSSSSSS
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\TTTTTTTTTTT
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\VVVVVVVVVVV
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\UUUUUUUUUUU
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
memory/980-161-0x0000000000400000-0x000000000042A000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\WWWWWWWWWWW
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\XXXXXXXXXXX
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
C:\ZQXLByuZ3.README.txt
| MD5 | aaaf0de3f4bcb9275ba225d0170e5486 |
| SHA1 | d6786a09d6c491cfa39ceaec9423d180601b0fb0 |
| SHA256 | f5a03bbada05402596d4c2872021fc0ff2951961c10e8a39426e663b2ff7bc57 |
| SHA512 | 37382b17557d1aa0d194f5f82ea9431b71b6bb36c2f4ea9d1638ec7a0f5215c66b88419fd0f3b2435229467f14dcb38b55ce8f81116e44ea79da692acaa8cb96 |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\YYYYYYYYYYY
| MD5 | 371c83ca2832672edf54008036c3324d |
| SHA1 | 2386cfd52730aa062ccf4624daef0b1430a44720 |
| SHA256 | 59a727f156aecf01fd5d7a110416543d1f4489ab64951e476325f685d867b3f6 |
| SHA512 | 47fbf90c75c71028f0350de4abecd07beabb362c042468840d41b82601dd254c99fe7a83c2e865f7116154760f2e713cf3f6381ca9b51ae35637297a28e6e998 |
memory/980-189-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-919-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-918-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-923-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-924-0x0000000000400000-0x000000000042A000-memory.dmp
memory/980-927-0x0000000002120000-0x0000000002160000-memory.dmp
memory/980-928-0x0000000002120000-0x0000000002160000-memory.dmp
memory/980-929-0x0000000002120000-0x0000000002160000-memory.dmp
\ProgramData\A545.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\A545.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\A545.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDD
| MD5 | 051071bfe4fb1eac65b644d182a8f428 |
| SHA1 | 1f671ca2d5d8efe42e19b84a7bcf907ff498a02f |
| SHA256 | 156b7cdff8b14fa4e6baf42539ad907481b9da62fbc7058415d2d0090f4b394e |
| SHA512 | 8c7011cafcac1ff415bb429f42a28d8b8e36c3938ae03311ae362e34a408150866b9848e9584bc5207404afb847b15424853bee6d9c42ae1cd0ef07ddd1f576e |
memory/1768-969-0x0000000000245000-0x0000000000263000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-11 16:44
Reported
2023-03-11 16:46
Platform
win10v2004-20230221-en
Max time kernel
154s
Max time network
150s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\LimitReceive.raw => C:\Users\Admin\Pictures\LimitReceive.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\LimitReceive.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MountUpdate.tif => C:\Users\Admin\Pictures\MountUpdate.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SplitWait.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompressWatch.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromUse.png => C:\Users\Admin\Pictures\ConvertFromUse.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\InvokeExit.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WaitResolve.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromUse.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureRead.raw => C:\Users\Admin\Pictures\MeasureRead.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\TestUndo.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureRead.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SplitWait.png => C:\Users\Admin\Pictures\SplitWait.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitResolve.png => C:\Users\Admin\Pictures\WaitResolve.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EditAdd.png => C:\Users\Admin\Pictures\EditAdd.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EditAdd.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatRepair.raw => C:\Users\Admin\Pictures\FormatRepair.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatRepair.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestUndo.tif => C:\Users\Admin\Pictures\TestUndo.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressWatch.raw => C:\Users\Admin\Pictures\CompressWatch.raw.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountUpdate.tif.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewReset.png => C:\Users\Admin\Pictures\NewReset.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\NewReset.png.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4992 set thread context of 1348 | N/A | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB} | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon\ = "C:\\ProgramData\\ZQXLByuZ3.ico" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\ = "Hide Selected Explorer Command" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D2A3105-81F1-9565-BAA6-C0777B43DEEB}\InprocServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ZQXLByuZ3\ = "ZQXLByuZ3" | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ZQXLByuZ3 | C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe"
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
C:\Users\Admin\AppData\Local\Temp\Crypted.bin.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.146.190.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/4244-133-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/4992-134-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/4992-135-0x00000000024B0000-0x000000000260A000-memory.dmp
memory/4992-141-0x00000000024B0000-0x000000000260A000-memory.dmp
memory/4992-143-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/4992-144-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/4992-146-0x00000000024B0000-0x000000000260A000-memory.dmp
memory/4992-145-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1348-150-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-151-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-152-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-153-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-154-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-155-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-158-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4244-159-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/4992-157-0x00000000024B0000-0x000000000260A000-memory.dmp
memory/4992-162-0x0000000010000000-0x00000000101AC000-memory.dmp
memory/1348-161-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-164-0x0000000000400000-0x000000000042A000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
memory/1348-207-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/1348-225-0x00000000024F0000-0x0000000002500000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
memory/1348-181-0x00000000024F0000-0x0000000002500000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini
| MD5 | 68061510dff88e8f427db50ca0ebdab3 |
| SHA1 | 9f966e257cf3d75b8eb1e8653e007271eac0e11c |
| SHA256 | a1127dc6f517738484c0ad13957edd3cebb1308b54f4458bccd9d81aaeaa0dee |
| SHA512 | 1bac456a6995df7f8f895e7992eb7bf11471462d649cabe76d595343708474fafc04e7fcc30e78130e159a1b76cbf9a82fc52ea586ed4b8f0a59605a498bafe3 |
memory/1348-227-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-231-0x0000000000400000-0x000000000042A000-memory.dmp
C:\ZQXLByuZ3.README.txt
| MD5 | 9c01d69e72dbf6b42d03fd97b2c13fdf |
| SHA1 | f79bc79983152d43c8b7fbad069c60f2c8d0b070 |
| SHA256 | 0b7b64a12f026fc15924b316edc023ed6256b5e7a48083dcba93511194a966c3 |
| SHA512 | 90f9824dd9fb143ccddd0e58b7e7e4a3da0c32598a97bb6f52beddd3fd0ed502619bce0e417898670bc327d1e0d5d17b1a0632557010b235b8369be82a4112e8 |
memory/1348-947-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/1348-948-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/1348-949-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/1348-2876-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-2879-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1348-2881-0x0000000000400000-0x000000000042A000-memory.dmp