Malware Analysis Report

2025-05-05 20:52

Sample ID 230601-c53anacf31
Target 2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside
SHA256 b964a5253c25465633ef8c2e7f77703d27227bfc0b13a7ca49d187dadc4d38ae
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b964a5253c25465633ef8c2e7f77703d27227bfc0b13a7ca49d187dadc4d38ae

Threat Level: Known bad

The file 2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Lockbit family

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Modifies extensions of user files

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-01 02:40

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 02:40

Reported

2023-06-01 02:43

Platform

win7-20230220-en

Max time kernel

76s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9EEF.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9EEF.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xd48YF5j8.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xd48YF5j8.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8 C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8\ = "xd48YF5j8" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8 C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon\ = "C:\\ProgramData\\xd48YF5j8.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"

C:\ProgramData\9EEF.tmp

"C:\ProgramData\9EEF.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\GGGGGGGGGGG

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\HHHHHHHHHHH

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\EEEEEEEEEEE

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\CCCCCCCCCCC

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\AAAAAAAAAAA

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\BBBBBBBBBBB

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\DDDDDDDDDDD

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\FFFFFFFFFFF

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\IIIIIIIIIII

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\JJJJJJJJJJJ

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\KKKKKKKKKKK

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\LLLLLLLLLLL

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\MMMMMMMMMMM

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\OOOOOOOOOOO

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\NNNNNNNNNNN

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\DDDDDDDDDDD

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\PPPPPPPPPPP

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\QQQQQQQQQQQ

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\RRRRRRRRRRR

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\SSSSSSSSSSS

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\TTTTTTTTTTT

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\UUUUUUUUUUU

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\YYYYYYYYYYY

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\XXXXXXXXXXX

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\WWWWWWWWWWW

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\VVVVVVVVVVV

MD5 b76fc48737d67ddc2588c1abb8441a09
SHA1 8fd75c909fecd0c266d98f0da27395435064861d
SHA256 b6f1ee3d68f248e491578ad5faf154f3bc797329ce28c11e6e3311cc0fd73833
SHA512 778e86bb948de0bd7907dd277187f5fb2452a3c6cfa873a89ab37eadc55e8770b884ec21ea31ea2eff32a333de6c9c2505cc89f86df8379a2cff437bcb6f0859

C:\xd48YF5j8.README.txt

MD5 fe31a1ad59630203b59c9a9a2144c5e2
SHA1 9623dc458026a96ef5dcf62736b308cfb81064d8
SHA256 a3ed5ead2ac19f8b6e7e30ccfe6dc37215977c06189bcb3841a4a0d4fde8139d
SHA512 acf2cdae3293409e43db11a0cd033dae9e061020622dc156e764c047194a522b1c5767b6db4fde6d72a42b4180524bbbfedb9f59621b5c68256a3b1507ac4c8e

memory/1924-197-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/1924-195-0x00000000001E0000-0x0000000000220000-memory.dmp

\ProgramData\9EEF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\9EEF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\9EEF.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 1ab21feffae5c68408444232ad566ab0
SHA1 0de8e574cdd8f6b5dec8bc089b60462ce0ba1ca4
SHA256 0deac997c3177ccdd7d349e69472d65b4c0c7d162b4bd097eb32110654fdd82f
SHA512 7befa2cbddfda449f98cfe9f822576a4ef0117b00a1d089b1ed7fa5009de212ef6d6f31ce0bb01613693c28035572c4cc50c795477bdd55e4d66cfea92cd4544

memory/864-350-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/864-351-0x0000000002310000-0x0000000002350000-memory.dmp

memory/864-352-0x0000000002310000-0x0000000002350000-memory.dmp

memory/864-353-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/864-354-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/864-355-0x0000000002310000-0x0000000002350000-memory.dmp

memory/864-356-0x0000000002310000-0x0000000002350000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 02:40

Reported

2023-06-01 02:43

Platform

win10v2004-20230220-en

Max time kernel

105s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RenameExpand.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4258.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xd48YF5j8.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xd48YF5j8.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8 C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xd48YF5j8\ = "xd48YF5j8" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8 C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xd48YF5j8\DefaultIcon\ = "C:\\ProgramData\\xd48YF5j8.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_acca2982e502a1fed11d51b16d43312d_darkside.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\4258.tmp

"C:\ProgramData\4258.tmp"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 254.131.255.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 13.69.109.130:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 209.197.3.8:80 tcp

Files

memory/1796-134-0x0000000003030000-0x0000000003040000-memory.dmp

memory/1796-135-0x0000000003030000-0x0000000003040000-memory.dmp

memory/1796-136-0x0000000003030000-0x0000000003040000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\desktop.ini

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\BBBBBBBBBBB

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\DDDDDDDDDDD

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\DDDDDDDDDDD

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\CCCCCCCCCCC

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\AAAAAAAAAAA

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\XXXXXXXXXXX

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\GGGGGGGGGGG

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\YYYYYYYYYYY

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\WWWWWWWWWWW

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\VVVVVVVVVVV

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\UUUUUUUUUUU

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\TTTTTTTTTTT

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\SSSSSSSSSSS

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\RRRRRRRRRRR

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\QQQQQQQQQQQ

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\PPPPPPPPPPP

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\OOOOOOOOOOO

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\NNNNNNNNNNN

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\MMMMMMMMMMM

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\LLLLLLLLLLL

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\KKKKKKKKKKK

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\JJJJJJJJJJJ

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\IIIIIIIIIII

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\HHHHHHHHHHH

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\FFFFFFFFFFF

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\$Recycle.Bin\S-1-5-21-2275444769-3691835758-4097679484-1000\EEEEEEEEEEE

MD5 dd6458cb044cb5fbb01d59b4f94da90d
SHA1 0e60b598384e1b23995fa4da87b930a298aae3a0
SHA256 d7bf92a50bb725dd5f3054e081193de8f67f5766d28998288f65668bddd2ccd9
SHA512 91b724d3138fa1333c3fdfc6c27f57570313fd4f6476e880a4d00637808043412a21b73f572a9956d97d2850c209a1ae781a7b4a500ef94f3aecd1932e239a7e

C:\xd48YF5j8.README.txt

MD5 8b4b5f68c3cb5640136eaeed6e16e35b
SHA1 8e35f017be75cf5afa593934478596f81c181c6d
SHA256 398a5a1f37fabe4a534c1371491685ebde227e542ad3c75da6201178ac2dd00b
SHA512 aa14ed9ff05cecc88aa93863d33c29c2700446205c6c57db5a04cf311c0cce50ba54267d04f8be3d05253838a7528af880cbd56ef8c67a6263927b4afd6c3bdd

memory/1796-427-0x0000000003030000-0x0000000003040000-memory.dmp

memory/1796-428-0x0000000003030000-0x0000000003040000-memory.dmp

memory/1796-429-0x0000000003030000-0x0000000003040000-memory.dmp

C:\ProgramData\4258.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\4258.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 217afdbf9987556e0cb66f3bfa7867a8
SHA1 4b1191f354ecccc73bd5e8f0ce9d62ef4b7b778b
SHA256 ed718132b863ca85911a77904c00bb0d9e3d3b2c5674383cdcbe5d90297d02ea
SHA512 d2d55679d13dae021cb1062677f2b401670be37a19529452c94a470afe0df3d704723281b7bf14d57764600d476efa5228af1375d5bc7fb6305f1a433bcfdcd1

memory/2480-463-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2480-465-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/2480-464-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/2480-466-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2480-467-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2480-468-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/2480-469-0x00000000024F0000-0x0000000002500000-memory.dmp