Malware Analysis Report

2025-05-05 20:55

Sample ID 230603-nv16dsha4v
Target LB3.7z
SHA256 2cee882bd0dc4267bacf099ac4571c319ac547be12b955f7ccb2f0144ae40876
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cee882bd0dc4267bacf099ac4571c319ac547be12b955f7ccb2f0144ae40876

Threat Level: Known bad

The file LB3.7z was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (313) files with added filename extension

Renames multiple (603) files with added filename extension

Modifies extensions of user files

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-03 11:43

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-03 11:43

Reported

2023-06-03 11:46

Platform

win7-20230220-en

Max time kernel

76s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Renames multiple (313) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\StartOut.crw => C:\Users\Admin\Pictures\StartOut.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartOut.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\CompressWatch.crw => C:\Users\Admin\Pictures\CompressWatch.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompressWatch.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\StartConnect.raw => C:\Users\Admin\Pictures\StartConnect.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartConnect.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\477D.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\477D.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\477D.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\477D.tmp
PID 2040 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\477D.tmp
PID 2040 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\477D.tmp
PID 2040 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\477D.tmp
PID 2040 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\477D.tmp
PID 1588 wrote to memory of 984 N/A C:\ProgramData\477D.tmp C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 984 N/A C:\ProgramData\477D.tmp C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 984 N/A C:\ProgramData\477D.tmp C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 984 N/A C:\ProgramData\477D.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\ProgramData\477D.tmp

"C:\ProgramData\477D.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\477D.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\desktop.ini

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\AAAAAAAAAAA

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\BBBBBBBBBBB

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\CCCCCCCCCCC

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\DDDDDDDDDDD

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\DDDDDDDDDDD

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\EEEEEEEEEEE

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\FFFFFFFFFFF

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\GGGGGGGGGGG

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\HHHHHHHHHHH

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\IIIIIIIIIII

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\JJJJJJJJJJJ

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\LLLLLLLLLLL

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\KKKKKKKKKKK

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\MMMMMMMMMMM

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\NNNNNNNNNNN

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\OOOOOOOOOOO

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\QQQQQQQQQQQ

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\PPPPPPPPPPP

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\RRRRRRRRRRR

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\SSSSSSSSSSS

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\TTTTTTTTTTT

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\UUUUUUUUUUU

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\VVVVVVVVVVV

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\WWWWWWWWWWW

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\XXXXXXXXXXX

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\$Recycle.Bin\S-1-5-21-1283023626-844874658-3193756055-1000\YYYYYYYYYYY

MD5 6e011b87599e1340215ba333d48a0d25
SHA1 c846641c02706314cf2199bd4fc5c7b716ca9afa
SHA256 635f1ae6fc1f02c012f19adcd164905d0f2a1594243029a40f029fa4f2ee69e3
SHA512 0ca47b3da6eb49a754cac96af1ac82b6c84dedf6243e0b56d2646ee19ba9cf734829e0563852d6c5d0d46736a13b52bfe59b1eadfe29bd1916e9f520b13e0920

C:\AFfGduKAp.README.txt

MD5 2c14b79c5df401a312e4c3eaf12b6b71
SHA1 5c45b1acc517676485afa15e4dd3f99fbda7cda4
SHA256 f4f5a83157405e6d4e49758d3f325ee5adb9448cc7973978f2c0e32a000678a4
SHA512 fb504fcb4c3d73812d4dddede978a4a2f841d3be75de722d46a78c1c7db1d54af2bba2e2f1250d58ecd2742238ba1c19e68d1196c3aaf0eae657a8e516d9c48b

memory/2040-285-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

memory/2040-290-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

memory/2040-313-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

\ProgramData\477D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\477D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\477D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 175d5ec547d19e69ea79844c23ae6ceb
SHA1 4033fdb30211e1e2ec08b1ef1dfbe013525d5a49
SHA256 7e40358ba0985bf6ed85f677b058d81a2e6f3a98e83bb10b64bdfe8ac18fef44
SHA512 593176d6ae906dfca6556f933668337b59d731a79fd50c70dca77d9e0ee1b4a340234cf6d1232bae63cd2761845fc99e7db4b3ac5299d0c3406054e1b4552f66

memory/1588-891-0x00000000023E5000-0x0000000002403000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-03 11:43

Reported

2023-06-03 11:46

Platform

win10v2004-20230220-en

Max time kernel

90s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Renames multiple (603) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CopyConfirm.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\WaitMeasure.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointSend.raw => C:\Users\Admin\Pictures\CheckpointSend.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\CopyConfirm.crw => C:\Users\Admin\Pictures\CopyConfirm.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ImportAdd.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\LockApprove.tif => C:\Users\Admin\Pictures\LockApprove.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\WaitMeasure.tif => C:\Users\Admin\Pictures\WaitMeasure.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointSend.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\RevokeRename.png => C:\Users\Admin\Pictures\RevokeRename.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveRedo.tif => C:\Users\Admin\Pictures\ResolveRedo.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\LockApprove.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeDisable.png => C:\Users\Admin\Pictures\ResizeDisable.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResizeDisable.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveRedo.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\RevokeRename.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ImportAdd.raw => C:\Users\Admin\Pictures\ImportAdd.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\ProgramData\C335.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\C335.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\C335.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\C335.tmp
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\C335.tmp
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\C335.tmp
PID 4604 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\C335.tmp
PID 4324 wrote to memory of 1952 N/A C:\ProgramData\C335.tmp C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1952 N/A C:\ProgramData\C335.tmp C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 1952 N/A C:\ProgramData\C335.tmp C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\C335.tmp

"C:\ProgramData\C335.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C335.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 88.221.25.155:80 tcp

Files

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\GGGGGGGGGGG

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\DDDDDDDDDDD

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\JJJJJJJJJJJ

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\IIIIIIIIIII

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\KKKKKKKKKKK

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\YYYYYYYYYYY

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\UUUUUUUUUUU

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\XXXXXXXXXXX

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\QQQQQQQQQQQ

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\PPPPPPPPPPP

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\OOOOOOOOOOO

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\NNNNNNNNNNN

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\MMMMMMMMMMM

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\RRRRRRRRRRR

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\WWWWWWWWWWW

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\VVVVVVVVVVV

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\TTTTTTTTTTT

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\SSSSSSSSSSS

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\LLLLLLLLLLL

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\HHHHHHHHHHH

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\FFFFFFFFFFF

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\EEEEEEEEEEE

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\BBBBBBBBBBB

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\AAAAAAAAAAA

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\CCCCCCCCCCC

MD5 1ace16334c16ccbab3413f022c941aa2
SHA1 5fed3367acd24f0c611d0651ef5296ed6edfdaa0
SHA256 2da0ac35fb0c2139226d2e5243aa9d59d4a2f7df776d12469518b31fa97f6b43
SHA512 ef11975f47552a412b923571a59fdb7e6e6c9280d51f18a868294b362945e0d9908cbf911d010b33e9e5bec112fe36a80bd34165c0d2c0f4e9999faa7bf5af0c

memory/4604-188-0x00000000031A0000-0x00000000031B0000-memory.dmp

memory/4604-189-0x00000000031A0000-0x00000000031B0000-memory.dmp

C:\AFfGduKAp.README.txt

MD5 c23c60bc62f1cc08c909c8f30b50041a
SHA1 5578092c969e501ed8a6831409acee0cb4f8d3e6
SHA256 7ff4f870af1a8caa4e82426747849f40ed0f9bdb787770dcfd6e9003ba9900b6
SHA512 cf29cff2ecc1089aaad51711a47d0f281404e8969db0c7e76c551c0a3cf477dc55f4865927976576d1a218b20535930d17080f98dacd045c2fc8c136ffc87b62

memory/4604-2817-0x00000000031A0000-0x00000000031B0000-memory.dmp

memory/4604-2818-0x00000000031A0000-0x00000000031B0000-memory.dmp

C:\ProgramData\C335.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\C335.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 f8448e1f2d70881d9f89cfde23752351
SHA1 223c039b236cb2f23de79e01904d7baa100b4cb1
SHA256 faea9c3cdbd58e5f5ffd2252a11836c74bd6c94e9cf2f9172a1a34320e791449
SHA512 c9c59bafa9091bad8ddcc74eb3b21c677b251e6ed8d8d41dfe68a176db304c2a8a2ada8124ef256521f0f9bb845986916de656095dc76b541b3270fe183eb8d9