Analysis Overview
SHA256
b964a5253c25465633ef8c2e7f77703d27227bfc0b13a7ca49d187dadc4d38ae
Threat Level: Known bad
The file 2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside was found to be: Known bad.
Malicious Activity Summary
Lockbit family
Lockbit
Rule to detect Lockbit 3.0 ransomware Windows payload
Modifies extensions of user files
Executes dropped EXE
Deletes itself
Loads dropped DLL
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Modifies Control Panel
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 02:40
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 02:40
Reported
2023-06-01 02:43
Platform
win7-20230220-en
Max time kernel
76s
Max time network
37s
Command Line
Signatures
Lockbit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xd48YF5j8.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xd48YF5j8.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8 | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8\ = "xd48YF5j8" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8 | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon\ = "C:\\ProgramData\\xd48YF5j8.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
| N/A | N/A | C:\ProgramData\9EEF.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\9EEF.tmp |
| PID 1924 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\9EEF.tmp |
| PID 1924 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\9EEF.tmp |
| PID 1924 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\9EEF.tmp |
| PID 1924 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\9EEF.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"
C:\ProgramData\9EEF.tmp
"C:\ProgramData\9EEF.tmp"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
Network
Files
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\GGGGGGGGGGG
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\HHHHHHHHHHH
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\EEEEEEEEEEE
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\CCCCCCCCCCC
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\AAAAAAAAAAA
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\BBBBBBBBBBB
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\DDDDDDDDDDD
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\FFFFFFFFFFF
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\IIIIIIIIIII
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\JJJJJJJJJJJ
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\KKKKKKKKKKK
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\LLLLLLLLLLL
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\MMMMMMMMMMM
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\OOOOOOOOOOO
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\NNNNNNNNNNN
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\DDDDDDDDDDD
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\PPPPPPPPPPP
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\QQQQQQQQQQQ
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\RRRRRRRRRRR
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\SSSSSSSSSSS
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\TTTTTTTTTTT
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\UUUUUUUUUUU
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\YYYYYYYYYYY
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\XXXXXXXXXXX
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\WWWWWWWWWWW
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\VVVVVVVVVVV
| MD5 | b76fc48737d67ddc2588c1abb8441a09 |
| SHA1 | 8fd75c909fecd0c266d98f0da27395435064861d |
| SHA256 | b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833 |
| SHA512 | 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859 |
C:\xd48YF5j8.README.txt
| MD5 | fe31a1ad59630203b59c9a9a2144c5e2 |
| SHA1 | 9623dc458026a96ef5dcf62736b308cfb81064d8 |
| SHA256 | a3ed5ead2ac19f8b6e7e30ccfe6dc37215977c06189bcb3841a4a0d4fde8139d |
| SHA512 | acf2cdae3293409e43db11a0cd033dae9e061020622dc156e764c047194a522b1c5767b6db4fde6d72a42b4180524bbbfedb9f59621b5c68256a3b1507ac4c8e |
memory/1924-197-0x00000000001E0000-0x0000000000220000-memory.dmp
memory/1924-195-0x00000000001E0000-0x0000000000220000-memory.dmp
\ProgramData\9EEF.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\9EEF.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\9EEF.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 1ab21feffae5c68408444232ad566ab0 |
| SHA1 | 0de8e574cdd8f6b5dec8bc089b60462ce0ba1ca4 |
| SHA256 | 0deac997c3177ccdd7d349e69472d65b4c0c7d162b4bd097eb32110654fdd82f |
| SHA512 | 7befa2cbddfda449f98cfe9f822576a4ef0117b00a1d089b1ed7fa5009de212ef6d6f31ce0bb01613693c28035572c4cc50c795477bdd55e4d66cfea92cd4544 |
memory/864-350-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/864-351-0x0000000002310000-0x0000000002350000-memory.dmp
memory/864-352-0x0000000002310000-0x0000000002350000-memory.dmp
memory/864-353-0x000000007EF80000-0x000000007EF81000-memory.dmp
memory/864-354-0x000000007EF20000-0x000000007EF21000-memory.dmp
memory/864-355-0x0000000002310000-0x0000000002350000-memory.dmp
memory/864-356-0x0000000002310000-0x0000000002350000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 02:40
Reported
2023-06-01 02:43
Platform
win10v2004-20230220-en
Max time kernel
105s
Max time network
146s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\RenameExpand.tiff | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xd48YF5j8.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xd48YF5j8.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8 | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8\ = "xd48YF5j8" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8 | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon\ = "C:\\ProgramData\\xd48YF5j8.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
| N/A | N/A | C:\ProgramData\4258.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\4258.tmp |
| PID 1796 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\4258.tmp |
| PID 1796 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\4258.tmp |
| PID 1796 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe | C:\ProgramData\4258.tmp |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\4258.tmp
"C:\ProgramData\4258.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 254.131.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| NL | 13.69.109.130:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/1796-134-0x0000000003030000-0x0000000003040000-memory.dmp
memory/1796-135-0x0000000003030000-0x0000000003040000-memory.dmp
memory/1796-136-0x0000000003030000-0x0000000003040000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\desktop.ini
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\BBBBBBBBBBB
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\DDDDDDDDDDD
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\DDDDDDDDDDD
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\CCCCCCCCCCC
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\AAAAAAAAAAA
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\XXXXXXXXXXX
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\GGGGGGGGGGG
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\YYYYYYYYYYY
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\WWWWWWWWWWW
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\VVVVVVVVVVV
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\UUUUUUUUUUU
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\TTTTTTTTTTT
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\SSSSSSSSSSS
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\RRRRRRRRRRR
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\QQQQQQQQQQQ
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\PPPPPPPPPPP
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\OOOOOOOOOOO
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\NNNNNNNNNNN
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\MMMMMMMMMMM
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\LLLLLLLLLLL
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\KKKKKKKKKKK
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\JJJJJJJJJJJ
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\IIIIIIIIIII
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\HHHHHHHHHHH
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\FFFFFFFFFFF
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\EEEEEEEEEEE
| MD5 | dd6458cb044cb5fbb01d59b4f94da90d |
| SHA1 | 0e60b598384e1b23995fa4da87b930a298aae3a0 |
| SHA256 | d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9 |
| SHA512 | 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e |
C:\xd48YF5j8.README.txt
| MD5 | 8b4b5f68c3cb5640136eaeed6e16e35b |
| SHA1 | 8e35f017be75cf5afa593934478596f81c181c6d |
| SHA256 | 398a5a1f37fabe4a534c1371491685ebde227e542ad3c75da6201178ac2dd00b |
| SHA512 | aa14ed9ff05cecc88aa93863d33c29c2700446205c6c57db5a04cf311c0cce50ba54267d04f8be3d05253838a7528af880cbd56ef8c67a6263927b4afd6c3bdd |
memory/1796-427-0x0000000003030000-0x0000000003040000-memory.dmp
memory/1796-428-0x0000000003030000-0x0000000003040000-memory.dmp
memory/1796-429-0x0000000003030000-0x0000000003040000-memory.dmp
C:\ProgramData\4258.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\4258.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 217afdbf9987556e0cb66f3bfa7867a8 |
| SHA1 | 4b1191f354ecccc73bd5e8f0ce9d62ef4b7b778b |
| SHA256 | ed718132b863ca85911a77904c00bb0d9e3d3b2c5674383cdcbe5d90297d02ea |
| SHA512 | d2d55679d13dae021cb1062677f2b401670be37a19529452c94a470afe0df3d704723281b7bf14d57764600d476efa5228af1375d5bc7fb6305f1a433bcfdcd1 |
memory/2480-463-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/2480-465-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/2480-464-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/2480-466-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/2480-467-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/2480-468-0x00000000024F0000-0x0000000002500000-memory.dmp
memory/2480-469-0x00000000024F0000-0x0000000002500000-memory.dmp