Malware Analysis Report

2025-05-05 20:52

Sample ID 230608-mk71hsec53
Target LB3
SHA256 0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

Threat Level: Known bad

The file LB3 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (597) files with added filename extension

Renames multiple (674) files with added filename extension

Modifies extensions of user files

Executes dropped EXE

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-08 10:32

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-08 10:32

Reported

2023-06-08 10:35

Platform

win10-20230220-en

Max time kernel

146s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Renames multiple (674) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SuspendLock.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\EnableExport.crw => C:\Users\Admin\Pictures\EnableExport.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnableExport.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\GetSuspend.raw => C:\Users\Admin\Pictures\GetSuspend.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\GetSuspend.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendLock.raw => C:\Users\Admin\Pictures\SuspendLock.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6A7.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6A7.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\6A7.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\6A7.tmp
PID 2132 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\6A7.tmp
PID 2132 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\6A7.tmp
PID 2132 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\6A7.tmp
PID 752 wrote to memory of 4940 N/A C:\ProgramData\6A7.tmp C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 4940 N/A C:\ProgramData\6A7.tmp C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 4940 N/A C:\ProgramData\6A7.tmp C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

C:\ProgramData\6A7.tmp

"C:\ProgramData\6A7.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6A7.tmp >> NUL

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AFfGduKAp.README.txt

Network

Country Destination Domain Proto
US 20.42.73.26:443 tcp
NL 8.238.21.254:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\AAAAAAAAAAA

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\RRRRRRRRRRR

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\VVVVVVVVVVV

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\EEEEEEEEEEE

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\YYYYYYYYYYY

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\XXXXXXXXXXX

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\WWWWWWWWWWW

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\UUUUUUUUUUU

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\TTTTTTTTTTT

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\QQQQQQQQQQQ

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\PPPPPPPPPPP

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\NNNNNNNNNNN

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\LLLLLLLLLLL

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\KKKKKKKKKKK

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\JJJJJJJJJJJ

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\IIIIIIIIIII

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\HHHHHHHHHHH

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\GGGGGGGGGGG

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\FFFFFFFFFFF

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\DDDDDDDDDDD

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\DDDDDDDDDDD

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\CCCCCCCCCCC

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\BBBBBBBBBBB

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\SSSSSSSSSSS

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\OOOOOOOOOOO

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\MMMMMMMMMMM

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\desktop.ini

MD5 bb89ec888cb1e37f8bb07cf0d66a0619
SHA1 dda1cb969cbca298e247e8204ed6d870e6800918
SHA256 de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406
SHA512 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63

memory/2132-176-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/2132-177-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/2132-178-0x0000000000D40000-0x0000000000D50000-memory.dmp

C:\AFfGduKAp.README.txt

MD5 63471181fb3bc1372662cbd2b84749f1
SHA1 a0601231e2267619e35c675f232802953903a2a5
SHA256 2e63ff921dcff75f50aeada02ca7db429c2c5a66dab90b5cb106511224adad73
SHA512 4c55938c4466763ea7fe397432ba92a1377b03715bd0fcf75527683eb24947eb6dc5a1a86df0c371f48542cc386540c4f709e18262618849c9718014fec2060d

memory/3660-2222-0x000001747E690000-0x000001747E6A0000-memory.dmp

memory/3660-2238-0x000001747EDD0000-0x000001747EDE0000-memory.dmp

memory/3660-2329-0x000001747EE50000-0x000001747EE51000-memory.dmp

memory/3660-2393-0x000001747EEE0000-0x000001747EEE1000-memory.dmp

memory/3660-2423-0x000001747F560000-0x000001747F561000-memory.dmp

memory/3660-2518-0x000001747F580000-0x000001747F581000-memory.dmp

memory/2132-3233-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/2132-3234-0x0000000000D40000-0x0000000000D50000-memory.dmp

memory/2132-3235-0x0000000000D40000-0x0000000000D50000-memory.dmp

C:\ProgramData\6A7.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\6A7.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 13b119f05765ff36bde231ff20e0486e
SHA1 167340096ef2fdc8c8f18abf005c108b4754893c
SHA256 bad6c0de2e871484343ac96d94d3a400408495d171ff0f912bcef77c2cac3cc7
SHA512 bacc2a7d7bf8a6a286bb8c396be5577e587ebafc407bfd8c6839295d86d4292d14a308873f9ea0f393ff5d6f5ca8d73612b2082b07fbc0cc007ab85e1c7c708d

C:\Users\Admin\Desktop\AFfGduKAp.README.txt

MD5 63471181fb3bc1372662cbd2b84749f1
SHA1 a0601231e2267619e35c675f232802953903a2a5
SHA256 2e63ff921dcff75f50aeada02ca7db429c2c5a66dab90b5cb106511224adad73
SHA512 4c55938c4466763ea7fe397432ba92a1377b03715bd0fcf75527683eb24947eb6dc5a1a86df0c371f48542cc386540c4f709e18262618849c9718014fec2060d

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-08 10:32

Reported

2023-06-08 10:35

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

Signatures

Renames multiple (597) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\UninstallCompress.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertInvoke.tiff => C:\Users\Admin\Pictures\ConvertInvoke.tiff.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\DenyPing.crw => C:\Users\Admin\Pictures\DenyPing.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\DenyPing.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\PingUse.crw => C:\Users\Admin\Pictures\PingUse.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\SearchStep.raw => C:\Users\Admin\Pictures\SearchStep.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchStep.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallCompress.crw => C:\Users\Admin\Pictures\UninstallCompress.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertInvoke.tiff.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\PingUse.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\RepairEnable.png => C:\Users\Admin\Pictures\RepairEnable.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File renamed C:\Users\Admin\Pictures\RestartFormat.tif => C:\Users\Admin\Pictures\RestartFormat.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertInvoke.tiff C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\RepairEnable.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartFormat.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\ProgramData\D556.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\D556.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\ProgramData\D556.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\D556.tmp
PID 4624 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\D556.tmp
PID 4624 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\D556.tmp
PID 4624 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\LB3.exe C:\ProgramData\D556.tmp
PID 4876 wrote to memory of 5084 N/A C:\ProgramData\D556.tmp C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 5084 N/A C:\ProgramData\D556.tmp C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 5084 N/A C:\ProgramData\D556.tmp C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\LB3.exe

"C:\Users\Admin\AppData\Local\Temp\LB3.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\D556.tmp

"C:\ProgramData\D556.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D556.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.247.210.254:80 tcp
US 8.247.210.254:80 tcp
US 8.247.210.254:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini

MD5 75977abb347d4d8bc84f5f182803c183
SHA1 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74
SHA256 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3
SHA512 a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd

memory/4624-188-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/4624-189-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

C:\AFfGduKAp.README.txt

MD5 4835f6e6f0b9de442718c52bd77e803b
SHA1 13f92a6bf255d915f7b0ffa170f376b2e36ca9ad
SHA256 6f9a490e33c04b6af9d466e4f049df2313edc8191b365c022bf2e5a5d1dc38ec
SHA512 5f491e1d4994c5af79980900cf363d04cb230934434d435aa32d7db11bf74768897c338157ce317f101bedf5d16928e642ca17143574bdbf2c353c3f8c2e2486

memory/4624-2845-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/4624-2846-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

C:\ProgramData\D556.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\D556.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDD

MD5 719de7e2b9cd7219bc1aea26fce42b56
SHA1 048057ba8cef003bc0c3fb4aa86a5776b2adc848
SHA256 1a4cff728911fe29de7356943ed2c45843c5e9c9b13c470e5cf5a85f488467f4
SHA512 1d3307927d7256a988087a2116cd11a52805ccff9bbccd155c9cdb8206603ebb889de8a5169ce5a9c603e6c9df64a4badc0034d050685d6bd0ca4c897058bc9a

memory/4876-2880-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/4876-2881-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/4876-2882-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/4876-2883-0x0000000002750000-0x0000000002760000-memory.dmp

memory/4876-2884-0x0000000002750000-0x0000000002760000-memory.dmp

memory/4876-2885-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4876-2886-0x000000007FDC0000-0x000000007FDC1000-memory.dmp