Analysis Overview
SHA256
0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
Threat Level: Known bad
The file 2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (328) files with added filename extension
Renames multiple (606) files with added filename extension
Modifies extensions of user files
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Checks computer location settings
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies Control Panel
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-01 02:41
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-01 02:41
Reported
2023-06-01 02:44
Platform
win7-20230220-en
Max time kernel
76s
Max time network
39s
Command Line
Signatures
Renames multiple (328) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CompleteHide.png => C:\Users\Admin\Pictures\CompleteHide.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\FormatTrace.png => C:\Users\Admin\Pictures\FormatTrace.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RenameUse.tif => C:\Users\Admin\Pictures\RenameUse.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RenameUse.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StopUninstall.tiff | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StopUninstall.tiff.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteHide.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnterInvoke.tif => C:\Users\Admin\Pictures\EnterInvoke.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnterInvoke.tif.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatTrace.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopUninstall.tiff => C:\Users\Admin\Pictures\StopUninstall.tiff.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
| N/A | N/A | C:\ProgramData\A287.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"
C:\ProgramData\A287.tmp
"C:\ProgramData\A287.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A287.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
Network
Files
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\AFfGduKAp.README.txt
| MD5 | 84f442c3fea4e5095485eb0cadda97f7 |
| SHA1 | bdf015c573a6777ae5adc7cdce4fcd018b6c7c9a |
| SHA256 | 59828ed980de3b5c492052b22577056a0d752bc691b4f87aced215995afa11d1 |
| SHA512 | cc3c876bb8db3639f18c1b771efc213d9712cb1f46f65cc13a016b2303976fa8600efad2e3435e560f5e7f12d4a28c1a092daec71f28cb1a8704ea02a08bf40b |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\AAAAAAAAAAA
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\CCCCCCCCCCC
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\BBBBBBBBBBB
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\DDDDDDDDDDD
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\AAAAAAAAAAA
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
memory/704-102-0x0000000000F40000-0x0000000000F80000-memory.dmp
memory/704-107-0x0000000000F40000-0x0000000000F80000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\EEEEEEEEEEE
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\GGGGGGGGGGG
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\FFFFFFFFFFF
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\HHHHHHHHHHH
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\IIIIIIIIIII
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\JJJJJJJJJJJ
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\KKKKKKKKKKK
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\LLLLLLLLLLL
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\MMMMMMMMMMM
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\NNNNNNNNNNN
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\OOOOOOOOOOO
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\PPPPPPPPPPP
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\QQQQQQQQQQQ
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\RRRRRRRRRRR
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\TTTTTTTTTTT
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\SSSSSSSSSSS
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\UUUUUUUUUUU
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\VVVVVVVVVVV
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\WWWWWWWWWWW
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\XXXXXXXXXXX
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\YYYYYYYYYYY
| MD5 | d34f5c2752f889b6ad024854566633f5 |
| SHA1 | 895c28148670215cb4f60b855654f85e9b0da96e |
| SHA256 | ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14 |
| SHA512 | ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046 |
\ProgramData\A287.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\A287.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\A287.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | d147d5ddd38fc86c7dbf52626e2b786d |
| SHA1 | 187c20ae29657d2f955fd535abaa8fae8cfd21ba |
| SHA256 | cc5feb92927f1697c7ee294c48659045a36df47a725165a1e0fd4ecb84125b90 |
| SHA512 | ef5b4213bb86a6fa996023430d4754d1a9b887a40e40b300f588cda4eff883d911e90ca8453644d16d89129682a1e03ecd6359af29131d957ddcee66b5c92117 |
memory/1672-903-0x0000000002215000-0x0000000002233000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-01 02:41
Reported
2023-06-01 02:44
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Renames multiple (606) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\UninstallRemove.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipSelect.raw => C:\Users\Admin\Pictures\SkipSelect.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipSelect.raw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockNew.png => C:\Users\Admin\Pictures\UnblockNew.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnblockNew.png.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallRemove.crw => C:\Users\Admin\Pictures\UninstallRemove.crw.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\ProgramData\FE79.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
| N/A | N/A | C:\ProgramData\FE79.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | C:\ProgramData\FE79.tmp |
| PID 4956 wrote to memory of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | C:\ProgramData\FE79.tmp |
| PID 4956 wrote to memory of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | C:\ProgramData\FE79.tmp |
| PID 4956 wrote to memory of 300 | N/A | C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe | C:\ProgramData\FE79.tmp |
| PID 300 wrote to memory of 1012 | N/A | C:\ProgramData\FE79.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 300 wrote to memory of 1012 | N/A | C:\ProgramData\FE79.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 300 wrote to memory of 1012 | N/A | C:\ProgramData\FE79.tmp | C:\Windows\SysWOW64\cmd.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\ProgramData\FE79.tmp
"C:\ProgramData\FE79.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FE79.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| FR | 51.11.192.49:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/4956-133-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/4956-134-0x0000000002D70000-0x0000000002D80000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\EEEEEEEEEEE
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\FFFFFFFFFFF
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\CCCCCCCCCCC
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\BBBBBBBBBBB
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\AAAAAAAAAAA
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\YYYYYYYYYYY
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\XXXXXXXXXXX
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\WWWWWWWWWWW
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\VVVVVVVVVVV
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\TTTTTTTTTTT
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\SSSSSSSSSSS
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\RRRRRRRRRRR
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\OOOOOOOOOOO
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\LLLLLLLLLLL
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\NNNNNNNNNNN
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\MMMMMMMMMMM
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\IIIIIIIIIII
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\HHHHHHHHHHH
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\KKKKKKKKKKK
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\JJJJJJJJJJJ
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\QQQQQQQQQQQ
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\UUUUUUUUUUU
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\PPPPPPPPPPP
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\GGGGGGGGGGG
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD
| MD5 | 9e3824dab7051fceac6a678c1831d47e |
| SHA1 | dd6bd885e9f26601b22065a07830f177d2be9a97 |
| SHA256 | 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862 |
| SHA512 | 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69 |
C:\AFfGduKAp.README.txt
| MD5 | 8ea6710e6f8f45b1d3133cc7b0aefe43 |
| SHA1 | 08deb87471ad3058f62b09204a2c8b2bc9ac113c |
| SHA256 | 1becc65997805f547ce0d63624d630a9140f1e8f30ee1deb3aace98181e73fb4 |
| SHA512 | 6254c935f2580ffa14d53ec17427dc8fcc8480c19b89ef31c4a8469d792335225160b44da6c50f39b1dfe2eac75d59235f2e1fdda60a37c96c77b51ee33b4767 |
memory/4956-2633-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/4956-2636-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/4956-2645-0x0000000002D70000-0x0000000002D80000-memory.dmp
C:\ProgramData\FE79.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\FE79.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 2512428c84d0c83894dc5c0a267440e4 |
| SHA1 | 5a7cee3446b09c4f9945c5f07e58fd6ec22728ef |
| SHA256 | 2e01b1198d9839506cd81fde45f5f0348244773917abdd77b1baf9778a88c271 |
| SHA512 | 5a356604bbd13742b8fc6de4a9c2ffa8543816c0233bc5891c342089a26c03150015335d6850d0848029f6bbceb8c3587fa08084c0a48dc2c355087c55e77351 |
memory/300-2880-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
memory/300-2881-0x000000007FE00000-0x000000007FE01000-memory.dmp
memory/300-2882-0x000000007FE40000-0x000000007FE41000-memory.dmp
memory/300-2883-0x0000000000680000-0x0000000000690000-memory.dmp
memory/300-2885-0x000000007FE20000-0x000000007FE21000-memory.dmp
memory/300-2884-0x0000000000680000-0x0000000000690000-memory.dmp
memory/300-2886-0x000000007FDC0000-0x000000007FDC1000-memory.dmp