Malware Analysis Report

2025-05-05 20:52

Sample ID 230601-c6d98acb64
Target 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside
SHA256 54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
Tags
lockbit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a

Threat Level: Known bad

The file 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Modifies extensions of user files

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-01 02:41

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 02:41

Reported

2023-06-01 02:43

Platform

win7-20230220-en

Max time kernel

81s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\59C5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\59C5.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"

C:\ProgramData\59C5.tmp

"C:\ProgramData\59C5.tmp"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x158

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\AAAAAAAAAAA

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\BBBBBBBBBBB

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\CCCCCCCCCCC

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\FFFFFFFFFFF

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\GGGGGGGGGGG

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\HHHHHHHHHHH

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\IIIIIIIIIII

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\JJJJJJJJJJJ

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\KKKKKKKKKKK

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\LLLLLLLLLLL

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\MMMMMMMMMMM

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\NNNNNNNNNNN

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\OOOOOOOOOOO

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\PPPPPPPPPPP

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\QQQQQQQQQQQ

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\RRRRRRRRRRR

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\SSSSSSSSSSS

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\TTTTTTTTTTT

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\UUUUUUUUUUU

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\VVVVVVVVVVV

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\WWWWWWWWWWW

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\XXXXXXXXXXX

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\YYYYYYYYYYY

MD5 9777718a614f3afa26801d61545e94c1
SHA1 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e
SHA256 b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f
SHA512 aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af

C:\o3LDjrpOa.README.txt

MD5 e45aa6b6f6eb5c4c90366a2fe2d23b69
SHA1 32f6b416743e41e16a88a540d12e88a1b8927ac7
SHA256 134dcbd5161adc4cccf54a1c75d0c2e5f1985b4400d63a695bd4e78b0349ef65
SHA512 69dd9bd3ce2b057b769c156bfcf377e740e7cbf0f22df3d46c45e1c9c520bbf51ae4c61dedbbfbcc497b9c0f3831b587be4543ff599b01d4a51f16c61257b91f

memory/1604-228-0x0000000000B60000-0x0000000000BA0000-memory.dmp

memory/1604-227-0x0000000000B60000-0x0000000000BA0000-memory.dmp

memory/1604-293-0x0000000000B60000-0x0000000000BA0000-memory.dmp

\ProgramData\59C5.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\59C5.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\59C5.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 b0ce9e2de4f2ed6488a836e4e4d5be05
SHA1 51f417e91df8e16472356062667669c914f881e3
SHA256 f38b38855e5b04b5786a864386b05ab2b6b92f6830ce329922937aacddafd3b0
SHA512 969237c4682428fa9f5ac7286d8a0b8f50940f07b8698df7adce51692ea7e4b97356f1cf32f1d7e99a56f0964bb54502208ad996e90e7af48b7593491b574167

memory/1224-330-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1224-331-0x0000000000520000-0x0000000000560000-memory.dmp

memory/1224-332-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1224-333-0x000000007EF20000-0x000000007EF21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 02:41

Reported

2023-06-01 02:43

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\PushComplete.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4C1D.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPftkiyl2hf3ikzwkpoohjkznfc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPa1f97bq030ehz558nspo31v2d.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP822ly3ql9wi05p7c0r0ojycg.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{247B8BE2-FD8E-42C9-B9C6-F5C91AEB7451}.xps" 133300681065470000

C:\ProgramData\4C1D.tmp

"C:\ProgramData\4C1D.tmp"

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 254.131.255.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
NL 20.50.201.195:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 148.52.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.240.123.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/4116-133-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4116-135-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4116-136-0x0000000002610000-0x0000000002620000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR

MD5 3834c3ae1387f7484b0a4a51f1aaa35a
SHA1 7492baa62ce9aa854146148185b23c69fc122dfe
SHA256 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA512 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676

C:\o3LDjrpOa.README.txt

MD5 0ed320811b631a2836da2fb56e874d42
SHA1 88346e3af64361c0960d8fcc561cdf243e4050b3
SHA256 c2884b70c6bcd1957510032248207a10cd54526de3887a1c7afae1ea5261150d
SHA512 42c579c75dc64726a5ef9b11c013296aa49d3b4b122c5a79c5660e7eadea187966643fb381cfe8a98b4b8a2ece00a8d29ac43295c4ab7c73476418a726f926d0

memory/4116-399-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4116-400-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4116-401-0x0000000002610000-0x0000000002620000-memory.dmp

C:\ProgramData\4C1D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\4C1D.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 da757c30d9de5a1c5a005c83da64a3e6
SHA1 cc69f58a164c318e0944edae12f5583fbf6a6409
SHA256 03163ea9e268bd660fe53a22dd7f20fe4275921edabb4f576f5e2197a2d628ea
SHA512 6653120a2663c0203eb9a775d91de46e4a3effb306f9d45e4af2eb63a46cb908d6ca4f97cc483d3c7ec35cd55c5377a3941d3f978649a35b5cd39b2b7da7009c

memory/2376-445-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2376-447-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/2376-446-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/3536-449-0x00007FF993310000-0x00007FF993320000-memory.dmp

memory/2376-448-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2376-450-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/3536-451-0x00007FF993310000-0x00007FF993320000-memory.dmp

memory/3536-452-0x00007FF993310000-0x00007FF993320000-memory.dmp

memory/3536-453-0x00007FF993310000-0x00007FF993320000-memory.dmp

memory/3536-454-0x00007FF993310000-0x00007FF993320000-memory.dmp

memory/3536-455-0x00007FF990A40000-0x00007FF990A50000-memory.dmp

memory/3536-456-0x00007FF990A40000-0x00007FF990A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{45DA0B5E-59C5-4930-9F74-92B05E0D18E4}

MD5 e00070832bd6ba254d37efe2fa942019
SHA1 d05a2437ed30cb986fd81e8d392871bf7fca97db
SHA256 c33b0daeb164858d640d1b5b280138d5cdb2b3ae996a255db868b60e8d096102
SHA512 87b239883631ab67d91e233e6779ba38a13124e1c74bb2a6108e0b954eef9e6bfad969d5df7f3e90e206fd4e1b2130ec710621216956017864e68a4815188b42

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 efe13471df9daedf1ba9044854f6609a
SHA1 441aa6676ca8b21b602784155d366505b54c213f
SHA256 edd9383d0a2aaecda4edb74d3bf984ff893b730736ccdec797ab5cd50197c7d4
SHA512 f8b69eac75b62a79bc7c28a3e693b56d9a4f6d060ddcbcf088bece9b0e7ce14f6e962b64d5ae4364cf000b356f2b0aec4ff34044def0382427bf364823ffc516

memory/2376-469-0x00000000026B0000-0x00000000026C0000-memory.dmp

memory/2376-470-0x00000000026B0000-0x00000000026C0000-memory.dmp