Analysis Overview
SHA256
af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16
Threat Level: Known bad
The file 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside was found to be: Known bad.
Malicious Activity Summary
Rule to detect Lockbit 3.0 ransomware Windows payload
Lockbit family
Renames multiple (295) files with added filename extension
Renames multiple (615) files with added filename extension
Modifies extensions of user files
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-06 08:03
Signatures
Lockbit family
Rule to detect Lockbit 3.0 ransomware Windows payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-06 08:03
Reported
2023-06-06 08:06
Platform
win7-20230220-en
Max time kernel
75s
Max time network
36s
Command Line
Signatures
Renames multiple (295) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SyncSwitch.png.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SyncSwitch.png => C:\Users\Admin\Pictures\SyncSwitch.png.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
| N/A | N/A | C:\ProgramData\2E52.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"
C:\ProgramData\2E52.tmp
"C:\ProgramData\2E52.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2E52.tmp >> NUL
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
Network
Files
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\AAAAAAAAAAA
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\BBBBBBBBBBB
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\CCCCCCCCCCC
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\EEEEEEEEEEE
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\FFFFFFFFFFF
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\GGGGGGGGGGG
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\HHHHHHHHHHH
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\IIIIIIIIIII
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\JJJJJJJJJJJ
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\KKKKKKKKKKK
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\LLLLLLLLLLL
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\MMMMMMMMMMM
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\NNNNNNNNNNN
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\OOOOOOOOOOO
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\PPPPPPPPPPP
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\QQQQQQQQQQQ
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\RRRRRRRRRRR
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\SSSSSSSSSSS
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
memory/1252-100-0x0000000000370000-0x00000000003B0000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\TTTTTTTTTTT
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\9y643jKEQ.README.txt
| MD5 | edcee010067993999219604e44bd2d11 |
| SHA1 | 42e9bd97e2739a47d73a55a7782c488a2e8b363f |
| SHA256 | 68cb0a6dc8b83207229b79c58416965076b1abb3c9a69a58ece74a8df9fc0cee |
| SHA512 | e40771b0c9f66167493bbb3b023be825a9166bc78c847f218b0fe6ab5451130fb682dc3931f3eea22a2ad1a460f7c60fcab3db471ab48d4643fd8256ff6e6e31 |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\UUUUUUUUUUU
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\VVVVVVVVVVV
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\WWWWWWWWWWW
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\YYYYYYYYYYY
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\XXXXXXXXXXX
| MD5 | e0b80a4f058764a2fda87691d1827e46 |
| SHA1 | 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5 |
| SHA256 | 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434 |
| SHA512 | 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b |
\ProgramData\2E52.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\2E52.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\2E52.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | fe5b7f500b9d82e3bd31ae0da51ec755 |
| SHA1 | 2394880134c60959ce6e50ff3b3908f398e1c2c5 |
| SHA256 | de3418333d798b4d20cf5efe5596130e1dfd5989edeaae6b1fa7eb9be492d720 |
| SHA512 | 54502da21339eb31b55018819fa6a909f559f6faa0024c5a59b8ccf25f89c1589ee6d62e871d6bbf5e844d83951cc2b44db72f47a75b1057789b8e55f7c88ca9 |
memory/1104-866-0x0000000000275000-0x0000000000293000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-06 08:03
Reported
2023-06-06 08:06
Platform
win10v2004-20230221-en
Max time kernel
126s
Max time network
132s
Command Line
Signatures
Renames multiple (615) files with added filename extension
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\DisableReset.raw => C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ProtectCopy.tif => C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestoreRestart.crw => C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertFromSync.tif => C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\ProgramData\4CF8.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\spool\PRINTERS\00002.SPL | C:\Windows\splwow64.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PP5wi3v5ijd91z8ysluo0y9nr.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPn24v2bzbti_1v5nnxmjcm2g7c.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
| File created | C:\Windows\system32\spool\PRINTERS\PPbsp6xev3vti70wv_d263m8kdc.TMP | C:\Windows\system32\printfilterpipelinesvc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
| N/A | N/A | C:\ProgramData\4CF8.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B730EF9C-2C5F-492B-B942-37635BEC9C02}.xps" 133305122798560000
C:\ProgramData\4CF8.tmp
"C:\ProgramData\4CF8.tmp"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CF8.tmp >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.124.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
Files
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT
| MD5 | a437e9870c8e8e5cdb3fc01a32905332 |
| SHA1 | 1e3a3a2da67943545387e1f860035d1ba7d2a869 |
| SHA256 | f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c |
| SHA512 | aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6 |
memory/1216-187-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
memory/1216-189-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
memory/1216-188-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
C:\Users\Admin\9y643jKEQ.README.txt
| MD5 | a252d99fb46c5547037df1bf2ad28ddd |
| SHA1 | 11ba8f7716fdb5f5930051476539ae2c28c24cbc |
| SHA256 | 7f4e580bf421dfee139169eadc44fdcf984039576de034664be2df8d2bb6727b |
| SHA512 | 106beef199df95707dbd23407172b96dc717350578f13edf5ac89551d6974d1705390bff9d66ed2a2ec40ff3ad9888c2d315f7d21cd121980dec21cce73459f3 |
memory/1216-2836-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
memory/1216-2837-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
C:\ProgramData\4CF8.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\ProgramData\4CF8.tmp
| MD5 | 294e9f64cb1642dd89229fff0592856b |
| SHA1 | 97b148c27f3da29ba7b18d6aee8a0db9102f47c9 |
| SHA256 | 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 |
| SHA512 | b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf |
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
| MD5 | 62a52f2b932b9742bb9f279a1fc27cae |
| SHA1 | b965f805843dae6ebb7c97b643e2c47717b14aa8 |
| SHA256 | 15cc91c33beaa6c2655084b00e21c18c037ab06d19d853b6444b9aef8a98aa40 |
| SHA512 | 8ed59cc30067ba8cecf29363a75d818d8f44290823639a8834702d37f51e085dc06561d0c5893e3bfa97c97460ce3540e6cef38deb13f4ccb1e413aba72f0f9b |
memory/4648-2880-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp
memory/4648-2881-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp
memory/4648-2882-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp
memory/4648-2883-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp
memory/4648-2884-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp
memory/4648-2885-0x00007FFD01030000-0x00007FFD01040000-memory.dmp
memory/4648-2886-0x00007FFD01030000-0x00007FFD01040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{F3CBCEB1-9C48-4778-A449-DC4360F8F2D6}
| MD5 | 90c371ae05864baa8eaee1efcedb1429 |
| SHA1 | ae329b68ae98462febf28fd97a35f82b7277b567 |
| SHA256 | aabd954990b15112992449e5287f2cebfc5c9ceefa87cc9937dd962d20f7d7f3 |
| SHA512 | 107c562487be52d65a1048109589d32ad86c8232daaeacf629c24d19c90f1ee9aebf3060fab04f627610a2a5f6315037ec4a56b180d9662b068ecc89a3cd5234 |
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
| MD5 | 9430471cb8d341da2d72471ae7c956a4 |
| SHA1 | d50b7bdf7d98d056b6ab8170c93ecc6e025635a6 |
| SHA256 | 704aaad48fcc972acdffbc16f0018d84324b29efff868fc0aac14cb223d184a6 |
| SHA512 | 32fe092693be0ad5bc0176243c230044b3ad884df51fa38b992e02af1a89537d28cd850799c2a20dfbcd2a40359e27770e31d06b22ad70da697c61380dadd5e9 |