Analysis Overview
SHA256
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
Threat Level: Known bad
The file 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Lockbit
Modifies extensions of user files
Executes dropped EXE
Loads dropped DLL
Deletes itself
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Modifies Control Panel
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 02:41
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 02:41
Reported
2023-06-01 02:43
Platform
win7-20230220-en
Max time kernel
81s
Max time network
49s
Command Line
Signatures
Lockbit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
| N/A | N/A | C:\ProgramData\59C5.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | C:\ProgramData\59C5.tmp |
| PID 1604 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | C:\ProgramData\59C5.tmp |
| PID 1604 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | C:\ProgramData\59C5.tmp |
| PID 1604 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | C:\ProgramData\59C5.tmp |
| PID 1604 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | C:\ProgramData\59C5.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"
C:\ProgramData\59C5.tmp
"C:\ProgramData\59C5.tmp"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x158
Network
Files
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\AAAAAAAAAAA
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\BBBBBBBBBBB
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\CCCCCCCCCCC
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\DDDDDDDDDDD
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\EEEEEEEEEEE
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\FFFFFFFFFFF
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\GGGGGGGGGGG
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\HHHHHHHHHHH
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\IIIIIIIIIII
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\JJJJJJJJJJJ
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\KKKKKKKKKKK
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\LLLLLLLLLLL
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\MMMMMMMMMMM
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\NNNNNNNNNNN
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\OOOOOOOOOOO
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\PPPPPPPPPPP
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\QQQQQQQQQQQ
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\RRRRRRRRRRR
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\SSSSSSSSSSS
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\TTTTTTTTTTT
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\UUUUUUUUUUU
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\VVVVVVVVVVV
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\WWWWWWWWWWW
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\XXXXXXXXXXX
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\YYYYYYYYYYY
| MD5 | 9777718a614f3afa26801d61545e94c1 |
| SHA1 | 2019c82a14aa3d2aeae6d7c83e3aff42276ab45e |
| SHA256 | b5cb393a57d16c87a1198b0fd7bf4454c0c9cd1e714cd97ebc3977e709dcfc8f |
| SHA512 | aa93dc28e07f5c0d8589a2825495380c40bd250307b6c3c9e205ab438c12c1b548a01da7a3ccf1c776f727b66a68defdde194cd6e178e5c97b7254c726b2f0af |
C:\o3LDjrpOa.README.txt
| MD5 | e45aa6b6f6eb5c4c90366a2fe2d23b69 |
| SHA1 | 32f6b416743e41e16a88a540d12e88a1b8927ac7 |
| SHA256 | 134dcbd5161adc4cccf54a1c75d0c2e5f1985b4400d63a695bd4e78b0349ef65 |
| SHA512 | 69dd9bd3ce2b057b769c156bfcf377e740e7cbf0f22df3d46c45e1c9c520bbf51ae4c61dedbbfbcc497b9c0f3831b587be4543ff599b01d4a51f16c61257b91f |
memory/1604-228-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/1604-227-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/1604-293-0x0000000000B60000-0x0000000000BA0000-memory.dmp
\ProgramData\59C5.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\59C5.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\59C5.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | b0ce9e2de4f2ed6488a836e4e4d5be05 |
| SHA1 | 51f417e91df8e16472356062667669c914f881e3 |
| SHA256 | f38b38855e5b04b5786a864386b05ab2b6b92f6830ce329922937aacddafd3b0 |
| SHA512 | 969237c4682428fa9f5ac7286d8a0b8f50940f07b8698df7adce51692ea7e4b97356f1cf32f1d7e99a56f0964bb54502208ad996e90e7af48b7593491b574167 |
memory/1224-330-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
memory/1224-331-0x0000000000520000-0x0000000000560000-memory.dmp
memory/1224-332-0x000000007EF80000-0x000000007EF81000-memory.dmp
memory/1224-333-0x000000007EF20000-0x000000007EF21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 02:41
Reported
2023-06-01 02:43
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
154s
Command Line
Signatures
Lockbit
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\PushComplete.tiff | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPftkiyl2hf3ikzwkpoohjkznfc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPa1f97bq030ehz558nspo31v2d.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP822ly3ql9wi05p7c0r0ojycg.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
| N/A | N/A | C:\ProgramData\4C1D.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{247B8BE2-FD8E-42C9-B9C6-F5C91AEB7451}.xps" 133300681065470000
C:\ProgramData\4C1D.tmp
"C:\ProgramData\4C1D.tmp"
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | 254.131.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| NL | 20.50.201.195:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.52.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.240.123.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/4116-133-0x0000000002610000-0x0000000002620000-memory.dmp
memory/4116-135-0x0000000002610000-0x0000000002620000-memory.dmp
memory/4116-136-0x0000000002610000-0x0000000002620000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\AAAAAAAAAAA
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\GGGGGGGGGGG
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\FFFFFFFFFFF
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\EEEEEEEEEEE
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\DDDDDDDDDDD
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\CCCCCCCCCCC
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\BBBBBBBBBBB
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\KKKKKKKKKKK
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\JJJJJJJJJJJ
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\LLLLLLLLLLL
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\IIIIIIIIIII
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\HHHHHHHHHHH
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\OOOOOOOOOOO
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\PPPPPPPPPPP
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\QQQQQQQQQQQ
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\NNNNNNNNNNN
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\MMMMMMMMMMM
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\YYYYYYYYYYY
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\XXXXXXXXXXX
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\WWWWWWWWWWW
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\VVVVVVVVVVV
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\UUUUUUUUUUU
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\TTTTTTTTTTT
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\SSSSSSSSSSS
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RRRRRRRRRRR
| MD5 | 3834c3ae1387f7484b0a4a51f1aaa35a |
| SHA1 | 7492baa62ce9aa854146148185b23c69fc122dfe |
| SHA256 | 16e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9 |
| SHA512 | 0f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676 |
C:\o3LDjrpOa.README.txt
| MD5 | 0ed320811b631a2836da2fb56e874d42 |
| SHA1 | 88346e3af64361c0960d8fcc561cdf243e4050b3 |
| SHA256 | c2884b70c6bcd1957510032248207a10cd54526de3887a1c7afae1ea5261150d |
| SHA512 | 42c579c75dc64726a5ef9b11c013296aa49d3b4b122c5a79c5660e7eadea187966643fb381cfe8a98b4b8a2ece00a8d29ac43295c4ab7c73476418a726f926d0 |
memory/4116-399-0x0000000002610000-0x0000000002620000-memory.dmp
memory/4116-400-0x0000000002610000-0x0000000002620000-memory.dmp
memory/4116-401-0x0000000002610000-0x0000000002620000-memory.dmp
C:\ProgramData\4C1D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\4C1D.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | da757c30d9de5a1c5a005c83da64a3e6 |
| SHA1 | cc69f58a164c318e0944edae12f5583fbf6a6409 |
| SHA256 | 03163ea9e268bd660fe53a22dd7f20fe4275921edabb4f576f5e2197a2d628ea |
| SHA512 | 6653120a2663c0203eb9a775d91de46e4a3effb306f9d45e4af2eb63a46cb908d6ca4f97cc483d3c7ec35cd55c5377a3941d3f978649a35b5cd39b2b7da7009c |
memory/2376-445-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/2376-447-0x00000000026B0000-0x00000000026C0000-memory.dmp
memory/2376-446-0x00000000026B0000-0x00000000026C0000-memory.dmp
memory/3536-449-0x00007FF993310000-0x00007FF993320000-memory.dmp
memory/2376-448-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/2376-450-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
memory/3536-451-0x00007FF993310000-0x00007FF993320000-memory.dmp
memory/3536-452-0x00007FF993310000-0x00007FF993320000-memory.dmp
memory/3536-453-0x00007FF993310000-0x00007FF993320000-memory.dmp
memory/3536-454-0x00007FF993310000-0x00007FF993320000-memory.dmp
memory/3536-455-0x00007FF990A40000-0x00007FF990A50000-memory.dmp
memory/3536-456-0x00007FF990A40000-0x00007FF990A50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{45DA0B5E-59C5-4930-9F74-92B05E0D18E4}
| MD5 | e00070832bd6ba254d37efe2fa942019 |
| SHA1 | d05a2437ed30cb986fd81e8d392871bf7fca97db |
| SHA256 | c33b0daeb164858d640d1b5b280138d5cdb2b3ae996a255db868b60e8d096102 |
| SHA512 | 87b239883631ab67d91e233e6779ba38a13124e1c74bb2a6108e0b954eef9e6bfad969d5df7f3e90e206fd4e1b2130ec710621216956017864e68a4815188b42 |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | efe13471df9daedf1ba9044854f6609a |
| SHA1 | 441aa6676ca8b21b602784155d366505b54c213f |
| SHA256 | edd9383d0a2aaecda4edb74d3bf984ff893b730736ccdec797ab5cd50197c7d4 |
| SHA512 | f8b69eac75b62a79bc7c28a3e693b56d9a4f6d060ddcbcf088bece9b0e7ce14f6e962b64d5ae4364cf000b356f2b0aec4ff34044def0382427bf364823ffc516 |
memory/2376-469-0x00000000026B0000-0x00000000026C0000-memory.dmp
memory/2376-470-0x00000000026B0000-0x00000000026C0000-memory.dmp