Analysis Overview
SHA256
0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
Threat Level: Known bad
The file LB3 was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (597) files with added filename extension
Renames multiple (674) files with added filename extension
Modifies extensions of user files
Executes dropped EXE
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-08 10:32
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-08 10:32
Reported
2023-06-08 10:35
Platform
win10-20230220-en
Max time kernel
146s
Max time network
63s
Command Line
Signatures
Renames multiple (674) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SuspendLock.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableExport.crw => C:\Users\Admin\Pictures\EnableExport.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnableExport.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetSuspend.raw => C:\Users\Admin\Pictures\GetSuspend.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GetSuspend.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SuspendLock.raw => C:\Users\Admin\Pictures\SuspendLock.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
| N/A | N/A | C:\ProgramData\6A7.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\6A7.tmp |
| PID 2132 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\6A7.tmp |
| PID 2132 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\6A7.tmp |
| PID 2132 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\6A7.tmp |
| PID 752 wrote to memory of 4940 | N/A | C:\ProgramData\6A7.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 752 wrote to memory of 4940 | N/A | C:\ProgramData\6A7.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 752 wrote to memory of 4940 | N/A | C:\ProgramData\6A7.tmp | C:\Windows\SysWOW64\cmd.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
C:\ProgramData\6A7.tmp
"C:\ProgramData\6A7.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6A7.tmp >> NUL
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AFfGduKAp.README.txt
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.26:443 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
Files
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\AAAAAAAAAAA
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\RRRRRRRRRRR
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\VVVVVVVVVVV
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\EEEEEEEEEEE
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\YYYYYYYYYYY
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\XXXXXXXXXXX
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\WWWWWWWWWWW
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\UUUUUUUUUUU
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\TTTTTTTTTTT
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\QQQQQQQQQQQ
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\PPPPPPPPPPP
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\NNNNNNNNNNN
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\LLLLLLLLLLL
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\KKKKKKKKKKK
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\JJJJJJJJJJJ
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\IIIIIIIIIII
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\HHHHHHHHHHH
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\GGGGGGGGGGG
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\FFFFFFFFFFF
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\DDDDDDDDDDD
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\DDDDDDDDDDD
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\CCCCCCCCCCC
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\BBBBBBBBBBB
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\SSSSSSSSSSS
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\OOOOOOOOOOO
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\MMMMMMMMMMM
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
C:\$Recycle.Bin\S-1-5-21-1311743041-1167936498-546579926-1000\desktop.ini
| MD5 | bb89ec888cb1e37f8bb07cf0d66a0619 |
| SHA1 | dda1cb969cbca298e247e8204ed6d870e6800918 |
| SHA256 | de53344d69b433dd9c45bc1e2d56f59f6f670f7caea05b9860899a73dc874406 |
| SHA512 | 7a636ef76e95e46dcbd363bf39b87f68a2f9af7f942cee416ead3040645616d7d618d409597159ed42cf2770a9d7cfcaa97ad12ede5837e9a2faee9422bf8a63 |
memory/2132-176-0x0000000000D40000-0x0000000000D50000-memory.dmp
memory/2132-177-0x0000000000D40000-0x0000000000D50000-memory.dmp
memory/2132-178-0x0000000000D40000-0x0000000000D50000-memory.dmp
C:\AFfGduKAp.README.txt
| MD5 | 63471181fb3bc1372662cbd2b84749f1 |
| SHA1 | a0601231e2267619e35c675f232802953903a2a5 |
| SHA256 | 2e63ff921dcff75f50aeada02ca7db429c2c5a66dab90b5cb106511224adad73 |
| SHA512 | 4c55938c4466763ea7fe397432ba92a1377b03715bd0fcf75527683eb24947eb6dc5a1a86df0c371f48542cc386540c4f709e18262618849c9718014fec2060d |
memory/3660-2222-0x000001747E690000-0x000001747E6A0000-memory.dmp
memory/3660-2238-0x000001747EDD0000-0x000001747EDE0000-memory.dmp
memory/3660-2329-0x000001747EE50000-0x000001747EE51000-memory.dmp
memory/3660-2393-0x000001747EEE0000-0x000001747EEE1000-memory.dmp
memory/3660-2423-0x000001747F560000-0x000001747F561000-memory.dmp
memory/3660-2518-0x000001747F580000-0x000001747F581000-memory.dmp
memory/2132-3233-0x0000000000D40000-0x0000000000D50000-memory.dmp
memory/2132-3234-0x0000000000D40000-0x0000000000D50000-memory.dmp
memory/2132-3235-0x0000000000D40000-0x0000000000D50000-memory.dmp
C:\ProgramData\6A7.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\6A7.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDD
| MD5 | 13b119f05765ff36bde231ff20e0486e |
| SHA1 | 167340096ef2fdc8c8f18abf005c108b4754893c |
| SHA256 | bad6c0de2e871484343ac96d94d3a400408495d171ff0f912bcef77c2cac3cc7 |
| SHA512 | bacc2a7d7bf8a6a286bb8c396be5577e587ebafc407bfd8c6839295d86d4292d14a308873f9ea0f393ff5d6f5ca8d73612b2082b07fbc0cc007ab85e1c7c708d |
C:\Users\Admin\Desktop\AFfGduKAp.README.txt
| MD5 | 63471181fb3bc1372662cbd2b84749f1 |
| SHA1 | a0601231e2267619e35c675f232802953903a2a5 |
| SHA256 | 2e63ff921dcff75f50aeada02ca7db429c2c5a66dab90b5cb106511224adad73 |
| SHA512 | 4c55938c4466763ea7fe397432ba92a1377b03715bd0fcf75527683eb24947eb6dc5a1a86df0c371f48542cc386540c4f709e18262618849c9718014fec2060d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-08 10:32
Reported
2023-06-08 10:35
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Renames multiple (597) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\UninstallCompress.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertInvoke.tiff => C:\Users\Admin\Pictures\ConvertInvoke.tiff.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyPing.crw => C:\Users\Admin\Pictures\DenyPing.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyPing.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingUse.crw => C:\Users\Admin\Pictures\PingUse.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchStep.raw => C:\Users\Admin\Pictures\SearchStep.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchStep.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallCompress.crw => C:\Users\Admin\Pictures\UninstallCompress.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertInvoke.tiff.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PingUse.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairEnable.png => C:\Users\Admin\Pictures\RepairEnable.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestartFormat.tif => C:\Users\Admin\Pictures\RestartFormat.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertInvoke.tiff | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RepairEnable.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestartFormat.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\ProgramData\D556.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\LB3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
| N/A | N/A | C:\ProgramData\D556.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\D556.tmp |
| PID 4624 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\D556.tmp |
| PID 4624 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\D556.tmp |
| PID 4624 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\LB3.exe | C:\ProgramData\D556.tmp |
| PID 4876 wrote to memory of 5084 | N/A | C:\ProgramData\D556.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4876 wrote to memory of 5084 | N/A | C:\ProgramData\D556.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4876 wrote to memory of 5084 | N/A | C:\ProgramData\D556.tmp | C:\Windows\SysWOW64\cmd.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LB3.exe
"C:\Users\Admin\AppData\Local\Temp\LB3.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\D556.tmp
"C:\ProgramData\D556.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D556.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini
| MD5 | 75977abb347d4d8bc84f5f182803c183 |
| SHA1 | 7f0aa1b1dc0364e4086df57ab9fd196314cb0e74 |
| SHA256 | 1106e4604ad5aad2148f5b44f3d3bec99a9d99f450614b26961112dd6ee69bb3 |
| SHA512 | a6f12c6d7fa32f7a670d12f2bf86246ebc6cf51cd202d924b6484e493b9a996d82e980c08315d681daff231a95e3ee9d5e0968f5576cd8504d49c3e1aa02e0dd |
memory/4624-188-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
memory/4624-189-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
C:\AFfGduKAp.README.txt
| MD5 | 4835f6e6f0b9de442718c52bd77e803b |
| SHA1 | 13f92a6bf255d915f7b0ffa170f376b2e36ca9ad |
| SHA256 | 6f9a490e33c04b6af9d466e4f049df2313edc8191b365c022bf2e5a5d1dc38ec |
| SHA512 | 5f491e1d4994c5af79980900cf363d04cb230934434d435aa32d7db11bf74768897c338157ce317f101bedf5d16928e642ca17143574bdbf2c353c3f8c2e2486 |
memory/4624-2845-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
memory/4624-2846-0x0000000002AA0000-0x0000000002AB0000-memory.dmp
C:\ProgramData\D556.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\D556.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDD
| MD5 | 719de7e2b9cd7219bc1aea26fce42b56 |
| SHA1 | 048057ba8cef003bc0c3fb4aa86a5776b2adc848 |
| SHA256 | 1a4cff728911fe29de7356943ed2c45843c5e9c9b13c470e5cf5a85f488467f4 |
| SHA512 | 1d3307927d7256a988087a2116cd11a52805ccff9bbccd155c9cdb8206603ebb889de8a5169ce5a9c603e6c9df64a4badc0034d050685d6bd0ca4c897058bc9a |
memory/4876-2880-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/4876-2881-0x000000007FE00000-0x000000007FE01000-memory.dmp
memory/4876-2882-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/4876-2883-0x0000000002750000-0x0000000002760000-memory.dmp
memory/4876-2884-0x0000000002750000-0x0000000002760000-memory.dmp
memory/4876-2885-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/4876-2886-0x000000007FDC0000-0x000000007FDC1000-memory.dmp