Malware Analysis Report

2025-05-05 20:52

Sample ID 230606-jx7czacf82
Target 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside
SHA256 af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16

Threat Level: Known bad

The file 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (295) files with added filename extension

Renames multiple (615) files with added filename extension

Modifies extensions of user files

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-06 08:03

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-06 08:03

Reported

2023-06-06 08:06

Platform

win7-20230220-en

Max time kernel

75s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"

Signatures

Renames multiple (295) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SyncSwitch.png.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\SyncSwitch.png => C:\Users\Admin\Pictures\SyncSwitch.png.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2E52.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2E52.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"

C:\ProgramData\2E52.tmp

"C:\ProgramData\2E52.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2E52.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x150

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\AAAAAAAAAAA

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\BBBBBBBBBBB

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\CCCCCCCCCCC

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\DDDDDDDDDDD

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\EEEEEEEEEEE

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\FFFFFFFFFFF

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\GGGGGGGGGGG

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\HHHHHHHHHHH

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\IIIIIIIIIII

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\JJJJJJJJJJJ

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\KKKKKKKKKKK

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\LLLLLLLLLLL

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\MMMMMMMMMMM

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\NNNNNNNNNNN

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\OOOOOOOOOOO

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\PPPPPPPPPPP

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\QQQQQQQQQQQ

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\RRRRRRRRRRR

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\SSSSSSSSSSS

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

memory/1252-100-0x0000000000370000-0x00000000003B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\TTTTTTTTTTT

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\9y643jKEQ.README.txt

MD5 edcee010067993999219604e44bd2d11
SHA1 42e9bd97e2739a47d73a55a7782c488a2e8b363f
SHA256 68cb0a6dc8b83207229b79c58416965076b1abb3c9a69a58ece74a8df9fc0cee
SHA512 e40771b0c9f66167493bbb3b023be825a9166bc78c847f218b0fe6ab5451130fb682dc3931f3eea22a2ad1a460f7c60fcab3db471ab48d4643fd8256ff6e6e31

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\UUUUUUUUUUU

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\VVVVVVVVVVV

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\WWWWWWWWWWW

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\YYYYYYYYYYY

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\XXXXXXXXXXX

MD5 e0b80a4f058764a2fda87691d1827e46
SHA1 62c61b65a1898818afa3ce1a1d1c65b0a3f8cae5
SHA256 7703c85aeafe5990f37dd766588e107c00e1e7f2a9c34df5247eb09e19008434
SHA512 43b8054a35dc4bcb44863ece52aa5f7b295cab7750e1170dd26809b876d6dafbc2cb686386728fb1b4ec9266078a84fd6cfdb692766e414dfd0fc9bd5155310b

\ProgramData\2E52.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\2E52.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\2E52.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 fe5b7f500b9d82e3bd31ae0da51ec755
SHA1 2394880134c60959ce6e50ff3b3908f398e1c2c5
SHA256 de3418333d798b4d20cf5efe5596130e1dfd5989edeaae6b1fa7eb9be492d720
SHA512 54502da21339eb31b55018819fa6a909f559f6faa0024c5a59b8ccf25f89c1589ee6d62e871d6bbf5e844d83951cc2b44db72f47a75b1057789b8e55f7c88ca9

memory/1104-866-0x0000000000275000-0x0000000000293000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-06 08:03

Reported

2023-06-06 08:06

Platform

win10v2004-20230221-en

Max time kernel

126s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"

Signatures

Renames multiple (615) files with added filename extension

ransomware

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\DisableReset.raw => C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ProtectCopy.tif => C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreRestart.crw => C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromSync.tif => C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\ProgramData\4CF8.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4CF8.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP5wi3v5ijd91z8ysluo0y9nr.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPn24v2bzbti_1v5nnxmjcm2g7c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPbsp6xev3vti70wv_d263m8kdc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\Windows\splwow64.exe
PID 1216 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\Windows\splwow64.exe
PID 1216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\ProgramData\4CF8.tmp
PID 1216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\ProgramData\4CF8.tmp
PID 1216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\ProgramData\4CF8.tmp
PID 1216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe C:\ProgramData\4CF8.tmp
PID 4760 wrote to memory of 4648 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4760 wrote to memory of 4648 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4140 wrote to memory of 2760 N/A C:\ProgramData\4CF8.tmp C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 2760 N/A C:\ProgramData\4CF8.tmp C:\Windows\SysWOW64\cmd.exe
PID 4140 wrote to memory of 2760 N/A C:\ProgramData\4CF8.tmp C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B730EF9C-2C5F-492B-B942-37635BEC9C02}.xps" 133305122798560000

C:\ProgramData\4CF8.tmp

"C:\ProgramData\4CF8.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CF8.tmp >> NUL

Network

Country Destination Domain Proto
US 40.77.2.164:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 153.124.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT

MD5 a437e9870c8e8e5cdb3fc01a32905332
SHA1 1e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256 f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512 aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6

memory/1216-187-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/1216-189-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/1216-188-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

C:\Users\Admin\9y643jKEQ.README.txt

MD5 a252d99fb46c5547037df1bf2ad28ddd
SHA1 11ba8f7716fdb5f5930051476539ae2c28c24cbc
SHA256 7f4e580bf421dfee139169eadc44fdcf984039576de034664be2df8d2bb6727b
SHA512 106beef199df95707dbd23407172b96dc717350578f13edf5ac89551d6974d1705390bff9d66ed2a2ec40ff3ad9888c2d315f7d21cd121980dec21cce73459f3

memory/1216-2836-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

memory/1216-2837-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

C:\ProgramData\4CF8.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\ProgramData\4CF8.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 62a52f2b932b9742bb9f279a1fc27cae
SHA1 b965f805843dae6ebb7c97b643e2c47717b14aa8
SHA256 15cc91c33beaa6c2655084b00e21c18c037ab06d19d853b6444b9aef8a98aa40
SHA512 8ed59cc30067ba8cecf29363a75d818d8f44290823639a8834702d37f51e085dc06561d0c5893e3bfa97c97460ce3540e6cef38deb13f4ccb1e413aba72f0f9b

memory/4648-2880-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

memory/4648-2881-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

memory/4648-2882-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

memory/4648-2883-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

memory/4648-2884-0x00007FFD03090000-0x00007FFD030A0000-memory.dmp

memory/4648-2885-0x00007FFD01030000-0x00007FFD01040000-memory.dmp

memory/4648-2886-0x00007FFD01030000-0x00007FFD01040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F3CBCEB1-9C48-4778-A449-DC4360F8F2D6}

MD5 90c371ae05864baa8eaee1efcedb1429
SHA1 ae329b68ae98462febf28fd97a35f82b7277b567
SHA256 aabd954990b15112992449e5287f2cebfc5c9ceefa87cc9937dd962d20f7d7f3
SHA512 107c562487be52d65a1048109589d32ad86c8232daaeacf629c24d19c90f1ee9aebf3060fab04f627610a2a5f6315037ec4a56b180d9662b068ecc89a3cd5234

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 9430471cb8d341da2d72471ae7c956a4
SHA1 d50b7bdf7d98d056b6ab8170c93ecc6e025635a6
SHA256 704aaad48fcc972acdffbc16f0018d84324b29efff868fc0aac14cb223d184a6
SHA512 32fe092693be0ad5bc0176243c230044b3ad884df51fa38b992e02af1a89537d28cd850799c2a20dfbcd2a40359e27770e31d06b22ad70da697c61380dadd5e9