Malware Analysis Report

2025-05-05 20:52

Sample ID 230601-c6td5scb72
Target 2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside
SHA256 0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

Threat Level: Known bad

The file 2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (328) files with added filename extension

Renames multiple (606) files with added filename extension

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies Control Panel

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-01 02:41

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-01 02:41

Reported

2023-06-01 02:44

Platform

win7-20230220-en

Max time kernel

76s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"

Signatures

Renames multiple (328) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompleteHide.png => C:\Users\Admin\Pictures\CompleteHide.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\FormatTrace.png => C:\Users\Admin\Pictures\FormatTrace.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\RenameUse.tif => C:\Users\Admin\Pictures\RenameUse.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\RenameUse.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopUninstall.tiff C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopUninstall.tiff.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteHide.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\EnterInvoke.tif => C:\Users\Admin\Pictures\EnterInvoke.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnterInvoke.tif.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatTrace.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\StopUninstall.tiff => C:\Users\Admin\Pictures\StopUninstall.tiff.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A287.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A287.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"

C:\ProgramData\A287.tmp

"C:\ProgramData\A287.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A287.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\AFfGduKAp.README.txt

MD5 84f442c3fea4e5095485eb0cadda97f7
SHA1 bdf015c573a6777ae5adc7cdce4fcd018b6c7c9a
SHA256 59828ed980de3b5c492052b22577056a0d752bc691b4f87aced215995afa11d1
SHA512 cc3c876bb8db3639f18c1b771efc213d9712cb1f46f65cc13a016b2303976fa8600efad2e3435e560f5e7f12d4a28c1a092daec71f28cb1a8704ea02a08bf40b

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\AAAAAAAAAAA

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\CCCCCCCCCCC

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\BBBBBBBBBBB

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\DDDDDDDDDDD

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\AAAAAAAAAAA

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

memory/704-102-0x0000000000F40000-0x0000000000F80000-memory.dmp

memory/704-107-0x0000000000F40000-0x0000000000F80000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\EEEEEEEEEEE

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\GGGGGGGGGGG

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\FFFFFFFFFFF

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\HHHHHHHHHHH

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\IIIIIIIIIII

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\JJJJJJJJJJJ

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\KKKKKKKKKKK

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\LLLLLLLLLLL

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\MMMMMMMMMMM

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\NNNNNNNNNNN

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\OOOOOOOOOOO

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\PPPPPPPPPPP

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\QQQQQQQQQQQ

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\RRRRRRRRRRR

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\TTTTTTTTTTT

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\SSSSSSSSSSS

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\UUUUUUUUUUU

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\VVVVVVVVVVV

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\WWWWWWWWWWW

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\XXXXXXXXXXX

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\YYYYYYYYYYY

MD5 d34f5c2752f889b6ad024854566633f5
SHA1 895c28148670215cb4f60b855654f85e9b0da96e
SHA256 ebe8608ae76fbe053572ce7691edf88689e9fb018c6ae94bd8b7849e85625b14
SHA512 ecd63a6ddeee0654956430a0466cd5c38e24c114b4afb69455002cc7691da4ce373e42141b0b0b08b688236859975b622c16b3ee5b56c196f6267575baac2046

\ProgramData\A287.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\A287.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\A287.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 d147d5ddd38fc86c7dbf52626e2b786d
SHA1 187c20ae29657d2f955fd535abaa8fae8cfd21ba
SHA256 cc5feb92927f1697c7ee294c48659045a36df47a725165a1e0fd4ecb84125b90
SHA512 ef5b4213bb86a6fa996023430d4754d1a9b887a40e40b300f588cda4eff883d911e90ca8453644d16d89129682a1e03ecd6359af29131d957ddcee66b5c92117

memory/1672-903-0x0000000002215000-0x0000000002233000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-01 02:41

Reported

2023-06-01 02:44

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"

Signatures

Renames multiple (606) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\UninstallRemove.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\SkipSelect.raw => C:\Users\Admin\Pictures\SkipSelect.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipSelect.raw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockNew.png => C:\Users\Admin\Pictures\UnblockNew.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockNew.png.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\UninstallRemove.crw => C:\Users\Admin\Pictures\UninstallRemove.crw.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\ProgramData\FE79.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\FE79.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AFfGduKAp.bmp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AFfGduKAp\ = "AFfGduKAp" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AFfGduKAp\DefaultIcon\ = "C:\\ProgramData\\AFfGduKAp.ico" C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-05-31_33228a20a7e985f02e2ddd73cccde729_darkside.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\ProgramData\FE79.tmp

"C:\ProgramData\FE79.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FE79.tmp >> NUL

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
FR 51.11.192.49:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/4956-133-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/4956-134-0x0000000002D70000-0x0000000002D80000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\EEEEEEEEEEE

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\FFFFFFFFFFF

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\CCCCCCCCCCC

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\BBBBBBBBBBB

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\AAAAAAAAAAA

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\desktop.ini

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\YYYYYYYYYYY

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\XXXXXXXXXXX

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\WWWWWWWWWWW

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\VVVVVVVVVVV

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\TTTTTTTTTTT

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\SSSSSSSSSSS

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\RRRRRRRRRRR

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\OOOOOOOOOOO

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\LLLLLLLLLLL

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\NNNNNNNNNNN

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\MMMMMMMMMMM

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\IIIIIIIIIII

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\HHHHHHHHHHH

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\KKKKKKKKKKK

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\JJJJJJJJJJJ

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\QQQQQQQQQQQ

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\UUUUUUUUUUU

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\PPPPPPPPPPP

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\GGGGGGGGGGG

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\DDDDDDDDDDD

MD5 9e3824dab7051fceac6a678c1831d47e
SHA1 dd6bd885e9f26601b22065a07830f177d2be9a97
SHA256 481bb3f56066e5b11ba92524047871c75b2bcc6277bb121a3df343b5d8722862
SHA512 3846ee31111f92e1ea6322128014b25340f86c7c9c825b64c842b0baab8652a92ccefa135b7dace9af7e7146b6e352933b13f8efb3b670ea13a4c2751ed99e69

C:\AFfGduKAp.README.txt

MD5 8ea6710e6f8f45b1d3133cc7b0aefe43
SHA1 08deb87471ad3058f62b09204a2c8b2bc9ac113c
SHA256 1becc65997805f547ce0d63624d630a9140f1e8f30ee1deb3aace98181e73fb4
SHA512 6254c935f2580ffa14d53ec17427dc8fcc8480c19b89ef31c4a8469d792335225160b44da6c50f39b1dfe2eac75d59235f2e1fdda60a37c96c77b51ee33b4767

memory/4956-2633-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/4956-2636-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/4956-2645-0x0000000002D70000-0x0000000002D80000-memory.dmp

C:\ProgramData\FE79.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\FE79.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 2512428c84d0c83894dc5c0a267440e4
SHA1 5a7cee3446b09c4f9945c5f07e58fd6ec22728ef
SHA256 2e01b1198d9839506cd81fde45f5f0348244773917abdd77b1baf9778a88c271
SHA512 5a356604bbd13742b8fc6de4a9c2ffa8543816c0233bc5891c342089a26c03150015335d6850d0848029f6bbceb8c3587fa08084c0a48dc2c355087c55e77351

memory/300-2880-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/300-2881-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/300-2882-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/300-2883-0x0000000000680000-0x0000000000690000-memory.dmp

memory/300-2885-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/300-2884-0x0000000000680000-0x0000000000690000-memory.dmp

memory/300-2886-0x000000007FDC0000-0x000000007FDC1000-memory.dmp