Malware Analysis Report

2025-06-15 20:09

Sample ID 250605-seepnsyyet
Target 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit
SHA256 7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281
Tags
lockbit defense_evasion discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281

Threat Level: Known bad

The file 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit was found to be: Known bad.

Malicious Activity Summary

lockbit defense_evasion discovery ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (552) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Indicator Removal: File Deletion

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 15:02

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 15:02

Reported

2025-06-05 15:05

Platform

win11-20250502-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"

Signatures

Renames multiple (552) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\AD77.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AD77.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PPit18b75lei3wuhr5dif49a3_c.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPw1vev2m8y98nn8hj7mxxr1fu.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPk9joiku2tib0zk2mx00a1x_e.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\AD77.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon\ = "C:\\ProgramData\\g0Bwcr1Ri.ico" C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri\ = "g0Bwcr1Ri" C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 1408 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 780 wrote to memory of 4672 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 780 wrote to memory of 4672 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1408 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\ProgramData\AD77.tmp
PID 1408 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\ProgramData\AD77.tmp
PID 1408 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\ProgramData\AD77.tmp
PID 1408 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe C:\ProgramData\AD77.tmp
PID 3736 wrote to memory of 5260 N/A C:\ProgramData\AD77.tmp C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 5260 N/A C:\ProgramData\AD77.tmp C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 5260 N/A C:\ProgramData\AD77.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B6FCD673-B0DE-42C7-9576-DD6FE0652F92}.xps" 133936094306870000

C:\ProgramData\AD77.tmp

"C:\ProgramData\AD77.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD77.tmp >> NUL

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

Network

Country Destination Domain Proto
US 52.109.16.112:443 roaming.officeapps.live.com tcp
CA 142.250.69.35:80 c.pki.goog tcp

Files

memory/1408-0-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/1408-2-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/1408-1-0x00000000030E0000-0x00000000030F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\YYYYYYYYYYY

MD5 76c6c75f2a124c5cc85a4431715c0105
SHA1 ecd18a153b625b23c3871b13ecf779bf450889e8
SHA256 11c7b19b903b250f0a88afb9469665937a76fdf7780cb85e7e3c5d817e8ebe79
SHA512 0b3cd17e1dad7337efe245e036d5a3e8e831c1394bc461aecdb85a5b71bc806226e5a9733214a8d3157d51cedc9548d60582b091b9177e98e331cfef823b7a53

C:\g0Bwcr1Ri.README.txt

MD5 86bd0f3ad38bc1df59ce0839508a5c2c
SHA1 5a4e946c016b4e1ec24307987c45ce38bb0330a5
SHA256 c4d3f5a6e6e53689de06fe38b8eb99edbe206e7a9946fc62a1ea9b182e8968ea
SHA512 e9f662aef9c1f13c3a26ab263790579879e0304b5a89675fd7765d5efdc3d46fc26a11c9310a6ba750b5ff6d3570c452dc3b0e6a1d5f0c2522a53aa69854e8f8

F:\$RECYCLE.BIN\S-1-5-21-779059454-4269757009-3780780039-1000\DDDDDDDDDDD

MD5 17310f2eec656e5b565d54589d0b9342
SHA1 f17705a588667470d4bf58dce4a5c5ce10c343d2
SHA256 41881dd1cdff914cc4612fbfe3d2aff5a9c9bea4882d766b86ef881b0aa8c1ee
SHA512 69c4e6725728b44db8767273d6c9d335bbab48e33fa1a24f3580db9eb23b9b56f1f5f0c72dde3f403a7bf044459d994470e4679c524f043fad24bdbba15652c1

memory/1408-3494-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/1408-3493-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/1408-3492-0x00000000030E0000-0x00000000030F0000-memory.dmp

memory/4672-3511-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3508-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

C:\ProgramData\AD77.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4672-3514-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3507-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3506-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 2ce761c7fc887ee90b50d331dee7a31d
SHA1 d983bfa04fa109bf1e3b16bed3dccef94120bee5
SHA256 d48ab742bc817e8aeed1c4cef0224d88b6a1a6bc0eb93a06b56da92115a03247
SHA512 0b62a5692d2c94a287b685e5f7baed4b7f127c0e491606ad6e5e9b7217eaa74165549fafe448a32e745cde6bc57b930240c22eeb0b49358bc96e9bc4c8ce7aa3

memory/4672-3543-0x00007FFE7A650000-0x00007FFE7A660000-memory.dmp

memory/4672-3544-0x00007FFE7A650000-0x00007FFE7A660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{4F4EBA4E-18DD-433B-889B-7A9677886BBF}

MD5 a8e9afd68d0922b2e033dd3e6a259bc9
SHA1 06ba0a0e286047ecfe0eb9f8409489a05fadb134
SHA256 6d0c51a89f49391ab121d426495ab49d5e895d4d1d1ab8034cea6164e424c512
SHA512 a88b4c0040be25f91d451314d5d80d2ac01b1ac0d0098447f38e19e2b11af5b8589d388cf83f5b7c20e5dcf94574235bb3fe2220fff01416480ec119fb807e1a

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 11be1d0c8df222e25fcafb3d89b37a39
SHA1 2ab7a78cbde7649faa7b6c76fc1d6fbbb0c596bc
SHA256 5c27e6be8c294e30d4ff5621bd4327f20af105adfadc16724cea047c27b3979f
SHA512 4fe4a87c6c6c11f1a4614dfbf6592edf220cff78fa85d50a16ea4bb043e8f7feb32e818de4b734faf7620142dcbef5a3765630e045f8e9da1c6eababff253065

C:\Users\Admin\AppData\Local\Temp\{1F5C4E08-6B00-445C-A043-AC533EFD519B}

MD5 6ecc27f3487e4722ff8c07708888cd77
SHA1 82bd0c828fc8f14c4c0bd902a373ed49fc5f5e7a
SHA256 85a224036c24c34e16a7f7deb12f13d566af7bb953ad30adf7fc150e7f094145
SHA512 d1fd24bacfcc76512da7426f7862e0801b7555d1c62641297943225a81e7a38176e2653c3037fd816fbc8413ef05e35800681e521768445a36224bc0b685fe9d

memory/4672-3598-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3597-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3596-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

memory/4672-3595-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

C:\Users\Admin\Desktop\CompressPublish.TTS.g0Bwcr1Ri

MD5 a0ba4089a15197049a073d94320835db
SHA1 ddfbda958cde7102f3b51e8dc1ef2f1917d25558
SHA256 f8b5465f11b81a635b9ec0dc525de84693740962fc18d5ae0037b00ef5f71eae
SHA512 7aaa232da4afffea8fb55b549c1e76c79f9f92177800d9d4f4a3185007d2995c1a07ee318ed8236a8da1c51712878f24babfa95769e18961131884c08e588f70

C:\Users\Admin\Desktop\ConvertFromMeasure.ADTS.g0Bwcr1Ri

MD5 9ea5264ee1bd663240bc2e6de327c99c
SHA1 8bce87e201255a4d8f8c6e78d9b3561ff163a641
SHA256 b20c0bf61fad1e44149a423afa2bb235673394270c211b00f6329489eb38637c
SHA512 fd2a556fb231418c72d56714dfed6a6d7517cde48a8d037218ce6f8a49e4a513cff4db4b73ee0745de687c421c22e24dfdea1af500587f1590d907e4fbfafbe1

C:\Users\Admin\Desktop\DebugCompress.mov.g0Bwcr1Ri

MD5 b34b4b5f5754f7b2e665a24af19ca170
SHA1 d1c40ae4aaf1d48136a279e2141e7de927f040c3
SHA256 81e9292248145a563e1f106373da618bc013d75c60be11c3ec7523b0f269ace4
SHA512 b43ae8812c1914b340d6ec365d5fa14cb5e273db9b847c66e19df6c92866e644411cffefc64868487612e1a39cc3a5bc7197e02678729b0f5d821d40e995dae8

C:\Users\Admin\Desktop\ConnectComplete.mpg.g0Bwcr1Ri

MD5 6b086dafa2066d119b387e50081fb09f
SHA1 bec56613e8b22e539cc6be4be63ebb75617421e3
SHA256 80240aa1ce99aa2252befd5e050a35b6a8e869a6aba4d525d092f67e3cff007d
SHA512 cf629a1183c064e27932c5757cea13f4f530d1ce17246e9a41a6f7ba7249211aeaab13269a9c124d44d7331fb54164444df3717edef7bfa651ba1e1851141846

C:\Users\Admin\Desktop\DisconnectSelect.mp4.g0Bwcr1Ri

MD5 275618cbc0b41227bb912f3f3aa1be79
SHA1 a3ee668f16ca7f549f6b80e8b8049d7338349e4e
SHA256 b4d1019641c02d8a6330a6536734782c434a490e2fe88b5ca73a1bf92eb543a8
SHA512 7da90e5df537d68ddd618b51e6048c6b039fc47dea58f67cb5cde3c49bb4e7d15bf9b03e80556568c072bd5362ff5716a26b42bc1bc5399e9080cd8581d991c1

C:\Users\Admin\Desktop\ExitSplit.vsdx.g0Bwcr1Ri

MD5 9099e46eb4e27bf212809d61cf9fad85
SHA1 0aa363b421773149404d872d35ae4a75739cfad5
SHA256 e47d55320f645f4a33fa9b395a5f2939874e83aa8f991293ff6f0c3d9cb55f53
SHA512 89079dd9f07c50c78aeb5561fe0de598455626542e3963af6939d2454a7e5454836ec4acfc1a86e2567972ea3b9b2a1cf7ee3433ae5c37ed9d25ddda4346092c

C:\Users\Admin\Desktop\EditMove.7z.g0Bwcr1Ri

MD5 3f968e5300a5739747abf96e7efef427
SHA1 01bf885f15e22cccc8a43201df4ffd1c088ef242
SHA256 3aea4dbbe307d1930c6d620657219a530d3801a2c77f1e9e2e0dbb4d3c28a4c1
SHA512 25f49552f1bb2e1efba9af405dd0817658d770cc8b612b9d341ec6bb6470ab67ddf1c9ce2afe190d73c90c231b5d3fee7b26836ccc7d1de3a363339147fa2a5e

C:\Users\Admin\Desktop\GetSearch.jpeg.g0Bwcr1Ri

MD5 3c8b65d608a1bcf955d604366e662654
SHA1 bcdec13d3b7ed4a4b06aef50a4e4a3e8a88be07e
SHA256 6eec452829a5a7047af4231d8565259f8ed69fcf2fee096b86daa314fa8557e0
SHA512 9e165034423f6f2aaffe471e96f45574f6230f6d36150bcd8c14d891bafa740d356d64e4fe0b4cd3b69bed68d63d9b55217379addf210254823e5d604cad4344

C:\Users\Admin\Desktop\OutExpand.m4a.g0Bwcr1Ri

MD5 cda763fe75564b57b18562451c336d5a
SHA1 358a5ea6336eefd18b283e5eb4028eed4a1553a4
SHA256 714d7532d968b1473d5ffc1e15e57b46d97afb439232c6dda2d06612c41b6bc2
SHA512 cacb32991be0bf389e598d090f2457fc3af052a6e150bda7279d71b3e1184888fbf112b62ed80e886e9b2aa8fb079091bd81ce9b4dddb50846e171e33ee41878

C:\Users\Admin\Desktop\OpenRevoke.xltm.g0Bwcr1Ri

MD5 e7188c4191718fb190d6448c81522536
SHA1 c00d50a9fe7128132ab5b9ca6bf816981a6b37db
SHA256 07e8df6165881d7d99b254857eaa709d72d7ccb5c189bd04cf049e42818ff688
SHA512 4b8651968eaeda1cdd2ec20310708e005bd7597c354947a2423203d8f498ce7da031b140fd88363dfc121143b9c825efa3122389ae36d09e3c6742d924392452

C:\Users\Admin\Desktop\SearchFormat.zip.g0Bwcr1Ri

MD5 9ef2c2d4528b89dbdd2fd74b4523bf1d
SHA1 e7cc2c82296822a0cd5f4fbca1f827043550e26d
SHA256 597a2982b90303f1ef33debf5d6b2e43a015b6a26b9ce02c880e1ff74effe41e
SHA512 44cce132c563f97deb5db6618506c155f2fb6d16d1deba58e8a249b73f2897cc594c7d9bb5a9f49d52202614722567200ab91cbfa5eb22d0d6ad915d40aacdaa

C:\Users\Admin\Desktop\ResumeHide.wpl.g0Bwcr1Ri

MD5 4d4ae6645ceb2eef673835bc75d0b5b5
SHA1 cd10cd34ed08f6b809b1ae9db41c03301b7067e5
SHA256 7a1b2da55f8858531129dbcee03b19364d7675b8f826302fcd816c3d8daaef0e
SHA512 1e442170143fbcd8698998b0ea8dee93a0a9a134eb1bd48ed243e7809b20c1d4a2b34e38a1132108156d1f783c480aed1ddcd7bfa6da8d4abe470be53caee115

C:\Users\Admin\Desktop\RestartUnblock.xsl.g0Bwcr1Ri

MD5 b976999e67d6eebfc1321b4d0bfb8052
SHA1 2568ea81ef006b6cd8e290a3c353ea8da9cfaaac
SHA256 ac0f1ed9cdafd4b64680d98e455d4e36bbd9c516663a740e6cc08e506552ed11
SHA512 514f9ec44b3625b9e812319bf0f71724a94549d6c1afe97abe4807448fe9a751a4a41c620ff6de44f066ef0a10360392c2d45d31c46cf97cf304447cca56f6e2

C:\Users\Admin\Desktop\ReadConvertFrom.xps.g0Bwcr1Ri

MD5 36703a990d6ca5555068c6eaafe967ac
SHA1 c6f04caf91e66dba4738c066cd01e06875d323f5
SHA256 25f68aa25a7a80b73c8221d31fba7aaf7d4a0c13293933ecf5a91ada4f23240f
SHA512 c1fb55a325f8cf7b1d7a27d66b90c97549927b9b23f89eee25babc4a13d973cb07f283a3775c8708c95f103bb2931903b1fed81b9426946c5d92883084af5a70

C:\Users\Admin\Desktop\ResumeGroup.ps1

MD5 088c0a6f889de2680658e0250151a3d7
SHA1 8c5e4b8effe7c0231ad3e083c49eeb0cc2cca127
SHA256 2202861c536f7f13260d1e51a49dff3461dd15962bfab4c516a522ddcf4ebb50
SHA512 82cb6b6014ced75b74930c2e6097541d190a179f826d5d8a8bc0e18b5b9ede7c62d76d37bde5d0727ed600828eed13732f35101704650e31df944f497a256564

C:\Users\Admin\Desktop\PopCompress.sys

MD5 61a6c2fa4655f266b436bdd0ab65cce3
SHA1 c93d01fd916be4405973e5525c974a02ea887a77
SHA256 48f524770096362517b9dda05c166e93a44bd6847dae5b644fffe36ec4b99983
SHA512 690ed38f420d5228a9efc8bf9eac99cea7cc38ef8fce340e5e74cf8779d747f3bb7995213c0ba564dda337680f57ad40cd8a1c2518fbb165a8a27b7500590e2b

C:\Users\Admin\Desktop\WatchApprove.aiff.g0Bwcr1Ri

MD5 5dbb734a3e2890367745c54c43831ccf
SHA1 09bba823cfdf536f37f998442bcca410d85a3a00
SHA256 4327268077a3347b6e2be6cd8fed5c8ecf822eac0f2de21b2df5cfad4683b3b7
SHA512 c685215d18ec3c2397eef5cfa10ea423c7ed62c1338d3b5c7472400c2da341953c462e5bc584fa2bd66785b60bb51c49cf51ff433c9446e2e4014480fba89cfc

C:\Users\Admin\Desktop\UnprotectResume.htm.g0Bwcr1Ri

MD5 ed25bf6238a8c727f493f4e50ac56eb7
SHA1 cd2661e142f5cb7b59c6ecef07f360fc1c47ec6a
SHA256 0155ac777f140a8dad613ae39701b05b0e09ab5828e74c2f9e9d5196634d9842
SHA512 04f7fdd13bed6444fa9e1d23a00536c756959f929d0b5a7319750f8e812021b9b094943de2eb9c050ac68bf7d292781423bf572bfec0de65786e3891513b50e7

C:\Users\Admin\Desktop\TestSearch.bmp.g0Bwcr1Ri

MD5 260935cbc7e0930d78ef7538349d7a32
SHA1 cc4e377e10d4a5c2ae38ce53ba948ec89780ec95
SHA256 1f644bb35987e8b631ec79c61574692f54b54fac1185728e0a005faedeb831cf
SHA512 6613739795e707fed0464b7dc990fffc4fbcf48604ad693b6fc2b981d518db1fc2b95f99d02892233171b644f98ed15072e7cd71c55f60bcf646b40c9d9ee2c5

C:\Users\Admin\Desktop\SuspendRevoke.zip.g0Bwcr1Ri

MD5 82d9e4ad4875a27ced03ff17a4825189
SHA1 46512494584e5c45cd123fba288817d7d5a9bd30
SHA256 8d252271e03e7471acc8b5b50a739f0e27a9824fb1b2ce77a67476d8ea8d9118
SHA512 2c02efdf6504b7b72ba19fb99ebf333bb469692565ecfee23eeaefaae43c2b7df43629805c5be544f92ee476f382293e809753522fbe2708a69cdc9625db6fba

C:\Users\Admin\Desktop\TestOptimize.emf.g0Bwcr1Ri

MD5 84d6c9d6ce54656616242c270e79fbb8
SHA1 2664bfe3a80099d8b5e1a510c5af9659a6e841f5
SHA256 57310dadc0d420a680a816d4814ed92c7873017301b5183eb908c8cc5ebba0d8
SHA512 b6aff2cc5687ceaa2c330514b16d08daecf56fe70af22d427d155ada8852710f024ae93f13ba8ae90c7bc4ec0f70ee26792f203d6606ef7f9f7ca54b53ee6437

C:\Users\Admin\Desktop\SubmitUnpublish.nfo.g0Bwcr1Ri

MD5 ee27b261c48acacbac70ebe419f7d82b
SHA1 bdcd304fe1f271ca4b6b439b54062d0c73f432d9
SHA256 f605dfb2637f9163c6ba91c1d7a2ef0cac7ea4ac00c92c2de73696dc956c8899
SHA512 9485c4fe2ebb5f5a9998aef42c0d528e6b1eb4ea7d6c82b9a6231b4b42219aa57bd3cbdfeee8b4fa31c755654580c9b857d785855cfed7d7ff216adca8630091

C:\Users\Admin\Desktop\BlockExit.xlsx.g0Bwcr1Ri

MD5 7a909737d4e2bb19be3c65fd1369bdd8
SHA1 860bbe66d7b06f2410ee3d4301e105a3e2793db5
SHA256 cb98c4fb56cf1f30113508618e139d11e4ce834ff45eab6f137012359a342289
SHA512 1603cc40989bb310a52aaa531bac9447b6840419310a26c4eb121c41d60d23ca6ac263964bd2bfb9ce44301b230372a74efe57427361eb553d85a2a2d50132ab

C:\Users\Admin\Desktop\CheckpointSubmit.001.g0Bwcr1Ri

MD5 3d70cc4138aa34d62ff02511034ce20d
SHA1 8366936bdb5cccd563920661c706c4f73306f340
SHA256 ce3644873ed078d03dc816393b7de59a504cc986b30aa95c6568bce803308469
SHA512 8e09431d447f9f9fe70989f614c0fb0e8f96f49f4c2709883e0c709be6fa260766c45ab31e009b0c2ed534df20f1e6f0faf1109a5c59c854f9b4a48d969c93b5

C:\Users\Admin\Desktop\CompleteBlock.dot.g0Bwcr1Ri

MD5 071cbb64e6960ef5531f18f84f7fad93
SHA1 615ca696a47feb6865a39e70d96ac2670969f286
SHA256 9d637b8f31db5e9805f7e59f726e81975a6b38d430c0f4823ffdaa720e07bd08
SHA512 55e9f8aae1275083a3455c8b79ca186e0136830869de40959076ff056ca6733e02e4e3804d24be44dbcd582732341431aa8532546711fe9822ad1a7cbc6d801d

C:\Users\Admin\Desktop\CloseConfirm.xlsx.g0Bwcr1Ri

MD5 786c0119208c247dede803372eeab548
SHA1 189e2e8215b29f3883f531ca683836be718f21c4
SHA256 86a8476a7bae978e99f619111ce7e062c2755cb35cb42a34f6a61664b0da4e54
SHA512 297c44f9e7877286b4d27bbd7e04d94fe415f4310afcd77870f0ee9e526adc7bb61038a398a55c7ec5a0a43e13ce399587b620f1fed7c0f0914b74ffec5d4399

C:\Users\Admin\Desktop\ClearConvert.avi.g0Bwcr1Ri

MD5 5e241fc08783844ba8b53f56de968813
SHA1 150f01d88aeb2c610231f90a10192b82cdc2245b
SHA256 a241b5d0adc641c7d31339c1fcaf995a29306931273759e5cf4c3612f9beb45c
SHA512 17c328d9cfff3612983732c3b144bab171eb13b43b5fe00c713451f3965cd2aabd31938f661519808a40b0fa4837a41347d8f2f8a1dd114fcfe3d3f0a50de5e7

C:\Users\Admin\Downloads\TestBackup.exe

MD5 4b18c5b5c550d253a222ccd21a464ac5
SHA1 162dc75092185bcd9958271716d61f8c47187b1c
SHA256 cf52560d6361c88c1abca7cd4cf28a1d235dfc5729f2968bf3a2e180dded4ca2
SHA512 f4952f8e940d8c790f045e2418e0114b9f01a4c50e614bab6c9572b330fd0f9c76caf9a7577d4e9eb95a9571c42c658f50eb58d4a90b067a7108fcc62d566d62

C:\Users\Admin\Downloads\ApproveConvertFrom.wmf.g0Bwcr1Ri

MD5 78178035a888be6b1f2090453e841644
SHA1 f1b1b90f7ca1bee7c0eb54fefdb957329183dc07
SHA256 85cf7b7bb1a2a19920447928c011046bc7887f46ea8e90d517340a950e76f2db
SHA512 b92759cf97baa1a3a120a6e2ac8be20c5cbbc42a6c7d65071736bc06f001abb93e2b9dd5ee1eb04157b5f3034e3e684e84a3aef8ea6aebcf06b59ee2312c8bb6

C:\Users\Admin\Downloads\CheckpointRemove.htm.g0Bwcr1Ri

MD5 ab627b99598ba2c32ae8d368c6af0434
SHA1 c69d98d93b7e2676f48648e5d8b62fe97e698d0c
SHA256 b5c9599eb3e8b449e5699472f2e851256f36233f7e4a3ebf1661e24299d725de
SHA512 043846088cc639369d5e0f6950aca0a75f134d7e6e18d0363bef7739785b03ab355b373f65b21f0fba35dc70eafca713fe4859dd22ef02d3a0e6e680d4589e37

C:\Users\Admin\Downloads\ComparePop.MTS.g0Bwcr1Ri

MD5 c61d35902fe3d18880b7da9004fc1a1f
SHA1 593732f7ce53ae5a6f078a0fd5a2929e33bb4251
SHA256 d0fe0069f0e8f9a42dc127bc953effac61aab687518bab8c41403822cd27c0b6
SHA512 9b53c8a19e0ad939924d4a925f01075fa1ece3a1a7921ac2c7a3338c0f2adb899ea272f95600e823c09171a23599c3d10f72d51dd803deea650fef5ffd25d48d

C:\Users\Admin\Downloads\CopyDeny.AAC.g0Bwcr1Ri

MD5 399ddcca56987db827deaa2c943d46cf
SHA1 a2109f33bc6269634bc6889ddd497acd5ff7e0b2
SHA256 372edac4f9e626783875ff9baa47ee0628d2cc785c1afade13decefcfd9e35ef
SHA512 fbfc1c59f6975701676bfb04077db2fda0ee4b0239bea294bf0ef8c39940ce5d7584c4013afae4406d7166b736c37653bb5beff37f3d2720547be304f8de3182

C:\Users\Admin\Downloads\ConvertSwitch.shtml.g0Bwcr1Ri

MD5 79019b3b923723a57e82609e24274893
SHA1 d768159a15031e4d5271b41940e32a0b35c8e516
SHA256 dd392bc0c5679fbd1e4602f712536365c3504445521aeb5bb345ecaf194bc2c6
SHA512 05665b5010c61c9a8077899f1b3665a65ec319e574929accdbc8bdf39ea064a9425bfbbc8684e186eb764089492e25b56f55fd96af3b5a1b7e9f7d88705ad2f5

C:\Users\Admin\Downloads\ConvertInvoke.jfif.g0Bwcr1Ri

MD5 4679c2129819ece063a929b3859301b7
SHA1 7df484c4b442cef6669cf885f37e74985cffeafe
SHA256 8b97819ad00b7256d7fa745230f4f4b8c905dc2a55094dd7b4b9d83bd8331360
SHA512 df95a76ccd1b970c22c6ddfbe98f087325c90513ac8714d97bef64ae91a52d2a81c77545da81eb2687a4f01ac0e8ba68a8e8487881bcc0ab1ed80680f9f74f64

C:\Users\Admin\Downloads\ConnectPush.mp4.g0Bwcr1Ri

MD5 e52394839f6c8ad27abc8bec6661051c
SHA1 b23844a6b5f44d93e10e4c36034540597cb5d037
SHA256 2154294f16e9e88b0dfa8e416d818752b1918d0b72b6f43d629d1a5b2bafc2d8
SHA512 bd670c4e07ea17784f7a177694099bb46c7b85928039832e1be88cd7dcbbc3a348269cf062f9db4d8f596529642bb26f0c553325eab9b6cb166860bc58b3eb50