Analysis Overview
SHA256
2cee882bd0dc4267bacf099ac4571c319ac547be12b955f7ccb2f0144ae40876
Threat Level: Known bad
The file LB3.7z was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (313) files with added filename extension
Renames multiple (603) files with added filename extension
Modifies extensions of user files
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-03 11:43
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-03 11:43
Reported
2023-06-03 11:46
Platform
win7-20230220-en
Max time kernel
76s
Max time network
36s
Command Line
Signatures
Renames multiple (313) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\StartOut.crw => C:\Users\Admin\Pictures\StartOut.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StartOut.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompressWatch.crw => C:\Users\Admin\Pictures\CompressWatch.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompressWatch.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartConnect.raw => C:\Users\Admin\Pictures\StartConnect.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StartConnect.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
| N/A | N/A | C:\ProgramData\477D.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\477D.tmp |
| PID 2040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\477D.tmp |
| PID 2040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\477D.tmp |
| PID 2040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\477D.tmp |
| PID 2040 wrote to memory of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\477D.tmp |
| PID 1588 wrote to memory of 984 | N/A | C:\ProgramData\477D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1588 wrote to memory of 984 | N/A | C:\ProgramData\477D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1588 wrote to memory of 984 | N/A | C:\ProgramData\477D.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 1588 wrote to memory of 984 | N/A | C:\ProgramData\477D.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
C:\ProgramData\477D.tmp
"C:\ProgramData\477D.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\477D.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
Network
Files
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\AAAAAAAAAAA
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\BBBBBBBBBBB
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\CCCCCCCCCCC
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\DDDDDDDDDDD
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\DDDDDDDDDDD
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\EEEEEEEEEEE
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\FFFFFFFFFFF
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\GGGGGGGGGGG
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\HHHHHHHHHHH
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\IIIIIIIIIII
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\JJJJJJJJJJJ
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\LLLLLLLLLLL
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\KKKKKKKKKKK
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\MMMMMMMMMMM
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\NNNNNNNNNNN
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\OOOOOOOOOOO
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\QQQQQQQQQQQ
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\PPPPPPPPPPP
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\RRRRRRRRRRR
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\SSSSSSSSSSS
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\TTTTTTTTTTT
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\UUUUUUUUUUU
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\VVVVVVVVVVV
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\WWWWWWWWWWW
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\XXXXXXXXXXX
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\YYYYYYYYYYY
| MD5 | 6e011b87599e1340215ba333d48a0d25 |
| SHA1 | c846641c02706314cf2199bd4fc5c7b716ca9afa |
| SHA256 | 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3 |
| SHA512 | 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920 |
C:\AFfGduKAp.README.txt
| MD5 | 2c14b79c5df401a312e4c3eaf12b6b71 |
| SHA1 | 5c45b1acc517676485afa15e4dd3f99fbda7cda4 |
| SHA256 | f4f5a83157405e6d4e49758d3f325ee5adb9448cc7973978f2c0e32a000678a4 |
| SHA512 | fb504fcb4c3d73812d4dddede978a4a2f841d3be75de722d46a78c1c7db1d54af2bba2e2f1250d58ecd2742238ba1c19e68d1196c3aaf0eae657a8e516d9c48b |
memory/2040-285-0x0000000000CB0000-0x0000000000CF0000-memory.dmp
memory/2040-290-0x0000000000CB0000-0x0000000000CF0000-memory.dmp
memory/2040-313-0x0000000000CB0000-0x0000000000CF0000-memory.dmp
\ProgramData\477D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\477D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\477D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDD
| MD5 | 175d5ec547d19e69ea79844c23ae6ceb |
| SHA1 | 4033fdb30211e1e2ec08b1ef1dfbe013525d5a49 |
| SHA256 | 7e40358ba0985bf6ed85f677b058d81a2e6f3a98e83bb10b64bdfe8ac18fef44 |
| SHA512 | 593176d6ae906dfca6556f933668337b59d731a79fd50c70dca77d9e0ee1b4a340234cf6d1232bae63cd2761845fc99e7db4b3ac5299d0c3406054e1b4552f66 |
memory/1588-891-0x00000000023E5000-0x0000000002403000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-03 11:43
Reported
2023-06-03 11:46
Platform
win10v2004-20230220-en
Max time kernel
90s
Max time network
151s
Command Line
Signatures
Renames multiple (603) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\CopyConfirm.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WaitMeasure.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointSend.raw => C:\Users\Admin\Pictures\CheckpointSend.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopyConfirm.crw => C:\Users\Admin\Pictures\CopyConfirm.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ImportAdd.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\LockApprove.tif => C:\Users\Admin\Pictures\LockApprove.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitMeasure.tif => C:\Users\Admin\Pictures\WaitMeasure.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointSend.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RevokeRename.png => C:\Users\Admin\Pictures\RevokeRename.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveRedo.tif => C:\Users\Admin\Pictures\ResolveRedo.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\LockApprove.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResizeDisable.png => C:\Users\Admin\Pictures\ResizeDisable.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResizeDisable.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveRedo.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RevokeRename.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportAdd.raw => C:\Users\Admin\Pictures\ImportAdd.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\ProgramData\C335.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
| N/A | N/A | C:\ProgramData\C335.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\C335.tmp |
| PID 4604 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\C335.tmp |
| PID 4604 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\C335.tmp |
| PID 4604 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\C335.tmp |
| PID 4324 wrote to memory of 1952 | N/A | C:\ProgramData\C335.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4324 wrote to memory of 1952 | N/A | C:\ProgramData\C335.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4324 wrote to memory of 1952 | N/A | C:\ProgramData\C335.tmp | C:\Windows\SysWOW64\cmd.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\C335.tmp
"C:\ProgramData\C335.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C335.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| NL | 88.221.25.155:80 | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\GGGGGGGGGGG
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\JJJJJJJJJJJ
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\IIIIIIIIIII
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\KKKKKKKKKKK
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\YYYYYYYYYYY
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\UUUUUUUUUUU
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\XXXXXXXXXXX
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\QQQQQQQQQQQ
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\PPPPPPPPPPP
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\OOOOOOOOOOO
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\NNNNNNNNNNN
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\MMMMMMMMMMM
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\RRRRRRRRRRR
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\WWWWWWWWWWW
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\VVVVVVVVVVV
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\TTTTTTTTTTT
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\SSSSSSSSSSS
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\LLLLLLLLLLL
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\HHHHHHHHHHH
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\FFFFFFFFFFF
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\EEEEEEEEEEE
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\BBBBBBBBBBB
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\AAAAAAAAAAA
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\CCCCCCCCCCC
| MD5 | 1ace16334c16ccbab3413f022c941aa2 |
| SHA1 | 5fed3367acd24f0c611d0651ef5296ed6edfdaa0 |
| SHA256 | 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43 |
| SHA512 | ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c |
memory/4604-188-0x00000000031A0000-0x00000000031B0000-memory.dmp
memory/4604-189-0x00000000031A0000-0x00000000031B0000-memory.dmp
C:\AFfGduKAp.README.txt
| MD5 | c23c60bc62f1cc08c909c8f30b50041a |
| SHA1 | 5578092c969e501ed8a6831409acee0cb4f8d3e6 |
| SHA256 | 7ff4f870af1a8caa4e82426747849f40ed0f9bdb787770dcfd6e9003ba9900b6 |
| SHA512 | cf29cff2ecc1089aaad51711a47d0f281404e8969db0c7e76c551c0a3cf477dc55f4865927976576d1a218b20535930d17080f98dacd045c2fc8c136ffc87b62 |
memory/4604-2817-0x00000000031A0000-0x00000000031B0000-memory.dmp
memory/4604-2818-0x00000000031A0000-0x00000000031B0000-memory.dmp
C:\ProgramData\C335.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\C335.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDD
| MD5 | f8448e1f2d70881d9f89cfde23752351 |
| SHA1 | 223c039b236cb2f23de79e01904d7baa100b4cb1 |
| SHA256 | faea9c3cdbd58e5f5ffd2252a11836c74bd6c94e9cf2f9172a1a34320e791449 |
| SHA512 | c9c59bafa9091bad8ddcc74eb3b21c677b251e6ed8d8d41dfe68a176db304c2a8a2ada8124ef256521f0f9bb845986916de656095dc76b541b3270fe183eb8d9 |