Malware Analysis Report

2024-11-30 11:29

Sample ID 240229-y7czfabh98
Target 2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside
SHA256 bc6f40f97e2c03771a33b3cbe4918550d16b02cd9915301b6719de620b1ef22d
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc6f40f97e2c03771a33b3cbe4918550d16b02cd9915301b6719de620b1ef22d

Threat Level: Known bad

The file 2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Lockbit

Renames multiple (619) files with added filename extension

Renames multiple (320) files with added filename extension

Loads dropped DLL

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 20:25

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 20:25

Reported

2024-02-29 20:28

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (619) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RNnzxAMZJ\ = "RNnzxAMZJ" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ\DefaultIcon\ = "C:\\ProgramData\\RNnzxAMZJ.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RNnzxAMZJ C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1372-1-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/1372-0-0x00000000025F0000-0x0000000002600000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\CCCCCCCCCCC

MD5 85186a6830f10cdd1c292b7e94225733
SHA1 0b2a7278f796466028ebcb8a4c84bfb0c252bce1
SHA256 2888340d4523b6eb9228fb2ead9c761e23bbaf3123cc67c67447b9cb3c604f02
SHA512 ec484fe8e25e0dad5bf230083c951176fb17ca2df9ae97f4e210e04c2a984bdb009bb8024942d03a23c14e050715d956cf017f3ee770c0b1e77a8a3dd122b38f

F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\DDDDDDDDDDD

MD5 159f76454805ede9cd0634bbded45486
SHA1 b57ecdd35e0f3f831c5273a85efdf5b7c09e743a
SHA256 6a05145ed4c36e875b6f175311dba4196d705aa5e65b7e20380e15bcfbcd423d
SHA512 fadd47c2cb7bbd7d1652c8ca6f935b618057e6a6fd11383a9c5079fc1ed3274347c64edec73300e54e8bf723e5b4ef0e724c1f05b1c11bd510b4b396729b2ce7

C:\RNnzxAMZJ.README.txt

MD5 5be2a86d58e0e9a5edabe16c0ac88262
SHA1 fbab31e15cc9385242b44737b6c2d82c728f6929
SHA256 1c02a7cb7be5b97d382e740e4ec3a29b6342ac67d48c93a0fadda0f7b9172bcc
SHA512 d35a5ac4d1a6bdb9b5825dc9f2b9918b0e31780b8deb7db43174f38a2e9c700abafae5ad2ed6e19140281e58a967327fa71b94b6c9171bbc6974f5acd3172db3

memory/1372-2776-0x00000000025F0000-0x0000000002600000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 20:25

Reported

2024-02-29 20:27

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe"

Signatures

Lockbit

ransomware lockbit

Renames multiple (320) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\B18.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\B18.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\RNnzxAMZJ.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\RNnzxAMZJ.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\B18.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.RNnzxAMZJ C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.RNnzxAMZJ\ = "RNnzxAMZJ" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RNnzxAMZJ\DefaultIcon\ = "C:\\ProgramData\\RNnzxAMZJ.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-29_2ba5460b0189eb83e8949e20a3588074_darkside.exe"

C:\ProgramData\B18.tmp

"C:\ProgramData\B18.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\B18.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2924-0-0x00000000007A0000-0x00000000007E0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini

MD5 57660a13b5095f269f93bb58a5209d9b
SHA1 c242df9916c2ff258818ff50cdf004a88bb156e9
SHA256 95b0c4a596b49eb7bf3f800d8eb8539f8745aa5a9ce4a0f5ba7dff93b34a5b13
SHA512 ee1a8dd778c604807bd095d786e30a76a31d8b1a1a3d20e4aea01547a6270b4f2fffa9b9f95e5a16f05828cf4593455b5d5d5a91dbe33b08dddf4ed8c4cc9ec3

F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\FFFFFFFFFFF

MD5 4e7a7089fff5d4e3801ed8c2a2d5c9d3
SHA1 b1aa38cc072179364c5fcf15dc9d581f25742a5c
SHA256 13c4dee49eb9b77f3c842aa6a60a9b8c662a44abdc05e8a4061e68054c8d6891
SHA512 15c73bcf5e6ea2cf55216f4166c3118c97c8861198735d6a92d30c1a80316c3cf392381d65741da362b67adaaca949e6001cd8b006c0644fc4ed6c2dfbd7996f

C:\RNnzxAMZJ.README.txt

MD5 d48a1f8c445b539383382d927394319b
SHA1 32c6bc25a450883576b971cb8fb30a586ae7aa74
SHA256 fb19951b9497d05ddfdd0fcab004a87ef89e56532cd51b15540aa838e50a3228
SHA512 be1baadc001ff418c9ef38d9501579507943b6e7316a91142f2b61aef85fa0a6f4bb108d422ba1aa231f47f2389e2c58238d87db5ab0bdb6defb26c7043fbe01

\ProgramData\B18.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2844-838-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2844-839-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2844-842-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2844-844-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ac9c0f0e0e8fac51b3d4e93deae81e28
SHA1 d0b7994ee57fb8179fc96db96bf2646e319aae46
SHA256 f99a86681faf4a44afcbfd37c6b6befde0cfddaced61d767381158e996c717d1
SHA512 3de6054f7074fd2db3817f1b9984bd2ea06688b3dbcabce107e0fa4e2f8b91a1dce95f335db44fcead6eb6d28f202fb00670da1aac85fa1662b4efc675f4ee72

memory/2844-870-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2844-871-0x000000007EF60000-0x000000007EF61000-memory.dmp