Malware Analysis Report

2025-05-05 20:52

Sample ID 230601-c56yvacb58
Target 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside
SHA256 239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239c9969fd07e1701a129cfd033a11a93ee9e88e4df4f79b7c5c0dd5bba86390

Threat Level: Known bad

The file 2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Renames multiple (602) files with added filename extension

Renames multiple (327) files with added filename extension

Modifies extensions of user files

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: RenamesItself

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-01 02:40

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 02:40

Reported

2023-06-01 02:43

Platform

win7-20230220-en

Max time kernel

102s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (327) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\BlockSearch.tif => C:\Users\Admin\Pictures\BlockSearch.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockSearch.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ConnectSave.crw => C:\Users\Admin\Pictures\ConnectSave.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConnectSave.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\MoveRepair.png => C:\Users\Admin\Pictures\MoveRepair.png.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\MoveRepair.png.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConfirmSend.raw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchMount.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\SkipDisable.tiff => C:\Users\Admin\Pictures\SkipDisable.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipDisable.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\SearchMount.tif => C:\Users\Admin\Pictures\SearchMount.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipDisable.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmSend.raw => C:\Users\Admin\Pictures\ConfirmSend.raw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\9D69.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\9D69.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\9D69.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"

C:\ProgramData\9D69.tmp

"C:\ProgramData\9D69.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9D69.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\desktop.ini

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\AAAAAAAAAAA

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\BBBBBBBBBBB

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\KKKKKKKKKKK

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\LLLLLLLLLLL

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\CCCCCCCCCCC

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\DDDDDDDDDDD

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\EEEEEEEEEEE

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\FFFFFFFFFFF

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\MMMMMMMMMMM

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\GGGGGGGGGGG

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\HHHHHHHHHHH

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\IIIIIIIIIII

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\NNNNNNNNNNN

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\JJJJJJJJJJJ

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\FFFFFFFFFFF

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\OOOOOOOOOOO

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\PPPPPPPPPPP

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\QQQQQQQQQQQ

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\RRRRRRRRRRR

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\SSSSSSSSSSS

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\Users\Admin\Tvks1ukoO.README.txt

MD5 938a80b5e4dd29a84ce2caa8a20fc360
SHA1 a5d81226d20755d301b38d70b2e3a9293c69596d
SHA256 53a40b50a12543352f1b355ea427a6f68f3316ff60ca365b96314fad7ebba80e
SHA512 8df78affa88474d19cabb0a6864604c4cac54533d3713d590b7709d9b09bb41cea08c80c43b6f634e2c750da344ce5d7f60a8d2f0f564d5d598f53f0a5f900ed

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\TTTTTTTTTTT

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\UUUUUUUUUUU

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\VVVVVVVVVVV

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\WWWWWWWWWWW

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

memory/1584-135-0x0000000002390000-0x00000000023D0000-memory.dmp

memory/1584-136-0x0000000002390000-0x00000000023D0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\XXXXXXXXXXX

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\YYYYYYYYYYY

MD5 fd49b79d6610b39b67a0580a67ad297b
SHA1 b2c7c8293c1c308127c8513f62706aef63a338cd
SHA256 12f3a36ae19cb13a00d8c93a8aa73841aec7646644d10f0c26b67509a1936db6
SHA512 b1c09c173577b597539c5f45a832c07b87522502535314f3697df75be1e5b5a4e5a8a12db64502988ab2d78331951052a27b6544fc2343c172cdee012a961140

memory/1584-866-0x0000000002390000-0x00000000023D0000-memory.dmp

\ProgramData\9D69.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\9D69.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\9D69.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 3056b83fc2fb0c107a41a8c33790cf2d
SHA1 58e14a152fc64b33afe74e9396b2b6b84d65841b
SHA256 b9c08102b2ac4611c3d36559eaaaea16b3a0ce248a9bb7cb66ba4e904d905fff
SHA512 84f384e2fd4fb34e8917003e5952bfdf46556a0e2e83e08605867dc60926e10eb24e08d4ff832573a78906a8cc7567e8574c47cdb2c4f1a7909ce5559ccadc89

memory/1684-903-0x00000000003C5000-0x00000000003E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 02:40

Reported

2023-06-01 02:43

Platform

win10v2004-20230220-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (602) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\FindUnblock.tiff => C:\Users\Admin\Pictures\FindUnblock.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeCompare.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\FindUnblock.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishAdd.png => C:\Users\Admin\Pictures\UnpublishAdd.png.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectEnable.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\PopWait.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeCompare.tiff => C:\Users\Admin\Pictures\ResumeCompare.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\SelectEnable.crw => C:\Users\Admin\Pictures\SelectEnable.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnpublishAdd.png.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ImportMeasure.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExportBlock.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\FindUnblock.tiff.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ImportMeasure.crw => C:\Users\Admin\Pictures\ImportMeasure.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\PopWait.crw => C:\Users\Admin\Pictures\PopWait.crw.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeCompare.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ExportBlock.tif => C:\Users\Admin\Pictures\ExportBlock.tif.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\ProgramData\BA77.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\BA77.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPuen_bp03y3x1qo9e2_v5m70l.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPygcnbx_tch2k078s_xd0man5.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP6zxj57bs0ups2tsqs6wctcc4b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Tvks1ukoO.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\BA77.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon\ = "C:\\ProgramData\\Tvks1ukoO.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Tvks1ukoO\ = "Tvks1ukoO" C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tvks1ukoO C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\Windows\splwow64.exe
PID 2860 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\Windows\splwow64.exe
PID 4948 wrote to memory of 5192 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4948 wrote to memory of 5192 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2860 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\ProgramData\BA77.tmp
PID 2860 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\ProgramData\BA77.tmp
PID 2860 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\ProgramData\BA77.tmp
PID 2860 wrote to memory of 5280 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe C:\ProgramData\BA77.tmp
PID 5280 wrote to memory of 5488 N/A C:\ProgramData\BA77.tmp C:\Windows\SysWOW64\cmd.exe
PID 5280 wrote to memory of 5488 N/A C:\ProgramData\BA77.tmp C:\Windows\SysWOW64\cmd.exe
PID 5280 wrote to memory of 5488 N/A C:\ProgramData\BA77.tmp C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_bb78df384ff1d296d1f0b59803df89b3_darkside.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{468C8BC1-2846-4EA9-9F59-8FF89F8B7F0F}.xps" 133300680961910000

C:\ProgramData\BA77.tmp

"C:\ProgramData\BA77.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BA77.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 148.52.109.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

memory/2860-133-0x0000000003360000-0x0000000003370000-memory.dmp

memory/2860-134-0x0000000003360000-0x0000000003370000-memory.dmp

memory/2860-135-0x0000000003360000-0x0000000003370000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY

MD5 fa2092442e16a3407a719af8a2f2820d
SHA1 d9b73d32bb1a6e2106a6a318bc3bbeed5c613f53
SHA256 37322865eec788141d5bc4adebefba3836135126732e1d97cfbbe46010935960
SHA512 f22d1ea407143fe4bd4b1344a1a05690b9c42ff1634b6e73dd47745ca2732dcbeb4da33b96b9b0596b8246a51f711f60ecba66e59f04a4253b6c84ddf61a408d

C:\Tvks1ukoO.README.txt

MD5 16f0a86ec58d694866f7b3ddb81cedd2
SHA1 84c086d91c53287c2aeeb656dc260725713ee1b6
SHA256 fde4488022e679fcc435764eff8b56931caf2bdefc92a8b8f12fedcf0bfe2636
SHA512 67a1ff2f13d96919941900e160689a4424a2009b3cd7997ac7a458c9cb09f2b9cdd889fddf078a1f28edf225c11bfe306c3310772496ece35b22c89d7d77f200

memory/2860-1460-0x0000000003360000-0x0000000003370000-memory.dmp

memory/2860-1461-0x0000000003360000-0x0000000003370000-memory.dmp

memory/2860-1463-0x0000000003360000-0x0000000003370000-memory.dmp

C:\ProgramData\BA77.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\BA77.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 61c154d38fc8844492626c324a0c9478
SHA1 48c396e77a49a13da334965330d1b1f27ac8d1f9
SHA256 8d267a7178799ce2b62a231f351979cd90e9dbe430a35e4f36c33282e3fbc63d
SHA512 3bbfbcb50e9b977b46317b46069094534a38360f0ca12c85eb2e53d488dfc969adf14b01fdaafdd1f5d0150b6f5a279da5d7266c7dc1005360bb88c69428ee9f

memory/5280-2863-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/5280-2893-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/5280-2894-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/5280-2895-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/5280-2892-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/5192-2896-0x00007FF991070000-0x00007FF991080000-memory.dmp

memory/5192-2898-0x00007FF991070000-0x00007FF991080000-memory.dmp

memory/5192-2897-0x00007FF991070000-0x00007FF991080000-memory.dmp

memory/5192-2899-0x00007FF991070000-0x00007FF991080000-memory.dmp

memory/5192-2900-0x00007FF991070000-0x00007FF991080000-memory.dmp

memory/5192-2901-0x00007FF98E9A0000-0x00007FF98E9B0000-memory.dmp

memory/5192-2902-0x00007FF98E9A0000-0x00007FF98E9B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{9CA394D5-AAF4-44FC-B3B8-71205918793B}

MD5 9658e085bb5c7c3ef80bf4b5a1f84fa1
SHA1 3ebb85e9da947167f857e69005eb2f3288085b47
SHA256 78d9d513ae1b07c23fb03ed3ed4e39a80579601513108b34391a561b2889c049
SHA512 eca2aa7b0b7288a6f5fc1ff007eb114b565730ad1e8be7313a4b367f10822ecb7a4d55f3ffa2d48be840dbe9c892703e5725b8015928e42dddcf9ac058eb1e2c

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 f31a26d5ae10b5c9978b2288e02499a8
SHA1 6d0e91db1c460611576d0d497852266ba565824b
SHA256 9940374850ce0381f0738ec1361556efaef50071085b397200598761b1b931cc
SHA512 2f233e75c81428c73a1d2c8797558c4fd55eb1cc69b88679b30f4d8ba6156ea78aea8909f6f8cbff9c2ea9de3bdd7e81b8ecc02c967a48e5d7e8b14547935190