Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 02:40
Behavioral task
behavioral1
Sample
2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
-
Size
200KB
-
MD5
da44b75688848eaad3b888d4ffa3eb8a
-
SHA1
1e18f8d613b31426bf7c3cad82ecee94e94f4fdb
-
SHA256
286726ecca68f8c2752116258aba0cd35c051a6342043ee1add84b890654276f
-
SHA512
ee19553d7816dc82dac7dd7bc7e9f05e9360074e7870e032da02f12bc29f2487085bc89aadb8712c687f1f844361eab18c09a92b965eb96c0c14491e630411f2
-
SSDEEP
3072:sr85Cua1U197bzhVsmftsZzSY2h1OSzlezR9P32euJ9OlKolb:k9Ri1dNVsmfte2Y2hvMX32eufj0b
Malware Config
Extracted
C:\sdBuuG2px.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Detect Neshta payload 10 IoCs
resource yara_rule behavioral2/files/0x000700000001f011-419.dat family_neshta behavioral2/memory/2156-431-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-495-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-496-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-497-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-498-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-499-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-500-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-554-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2156-558-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs
resource yara_rule behavioral2/files/0x000200000001e2af-137.dat family_lockbit behavioral2/files/0x000200000001e2af-140.dat family_lockbit behavioral2/files/0x000200000001e2af-139.dat family_lockbit -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Executes dropped EXE 2 IoCs
pid Process 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 3020 C286.tmp -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPocxmgn0lycrl8gulpkdkstfc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPmmktrakbebz7pp51zf46pq7hb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPl3j0yt6wdhuqst026_vf8z_bd.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\sdBuuG2px.bmp" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\sdBuuG2px.bmp" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 3020 C286.tmp 3020 C286.tmp 3020 C286.tmp 3020 C286.tmp 3020 C286.tmp 3020 C286.tmp -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13173~1.45\MICROS~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~3.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~2.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~4.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MIA062~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\WallpaperStyle = "10" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sdBuuG2px\ = "sdBuuG2px" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sdBuuG2px\DefaultIcon\ = "C:\\ProgramData\\sdBuuG2px.ico" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 4488 ONENOTE.EXE 4488 ONENOTE.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeDebugPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: 36 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeImpersonatePrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeIncBasePriorityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeIncreaseQuotaPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: 33 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeManageVolumePrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeProfSingleProcessPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeRestorePrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSystemProfilePrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeTakeOwnershipPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeShutdownPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeDebugPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4436 vssvc.exe Token: SeRestorePrivilege 4436 vssvc.exe Token: SeAuditPrivilege 4436 vssvc.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeSecurityPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe Token: SeBackupPrivilege 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE 4488 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2156 wrote to memory of 4792 2156 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 83 PID 2156 wrote to memory of 4792 2156 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 83 PID 2156 wrote to memory of 4792 2156 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 83 PID 4792 wrote to memory of 372 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 93 PID 4792 wrote to memory of 372 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 93 PID 1788 wrote to memory of 4488 1788 printfilterpipelinesvc.exe 97 PID 1788 wrote to memory of 4488 1788 printfilterpipelinesvc.exe 97 PID 4792 wrote to memory of 3020 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 98 PID 4792 wrote to memory of 3020 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 98 PID 4792 wrote to memory of 3020 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 98 PID 4792 wrote to memory of 3020 4792 2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
- Drops file in System32 directory
PID:372
-
-
C:\ProgramData\C286.tmp"C:\ProgramData\C286.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2756
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{71C3412A-B790-4813-9A7C-33AE7D351D5E}.xps" 1333006087773800002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4488
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
129B
MD5e2a6aa248c96a10bafe4179e4f189eac
SHA182ec65a51fc98a6e9cb2c3cb469f22d5a700c607
SHA2568e1fb7d78bda681e9d6e724c169295a465b98ab461e4f248a5bf1e6eab5359fc
SHA512307baad2896972ef390e325f3238a783694d97f9f105a2d662a644639436c6d9baddb64a91071c649b1ac08a249b270387df95e6711436c404543cc613bbb630
-
Filesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
Filesize159KB
MD599bcce4f1d96c6ef25c157c9762d7fba
SHA185125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA2562e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
Filesize159KB
MD599bcce4f1d96c6ef25c157c9762d7fba
SHA185125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA2562e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2023-05-30_da44b75688848eaad3b888d4ffa3eb8a_darkside_neshta.exe
Filesize159KB
MD599bcce4f1d96c6ef25c157c9762d7fba
SHA185125f8f6ddc5dddca55c3c162eadffc7c10c231
SHA2562e218735fa53e036659ea721bfd7b97e2af67b7eda648e9e2579356eb20899d9
SHA512aa31d760be90faf8c2cad5901cdd7ca609f97d327f1c3660af661a43f77e865f5380fa1743969a10642ac4ba4219244d6890a70b4594ff260b34fb71a3518e47
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize159KB
MD5550ee7dfd65584abe1e690a307ec3c02
SHA148625b87a6e63f410f47e63582b7f046102dc4cc
SHA256afcab0a603037026ea75aad045a9903485bd58c0e69523af6422a6cf21946301
SHA5128df464d35d96a608c5991f2c16340c57c01a566c87a628dc7bd01a570db4c1a5005d34837398ab60512a124a2b0980c9047c03333858a2f1d05d8d5edaa926ea
-
Filesize
4KB
MD58bb5c1dcbf2619b8ef18b501768ca995
SHA16a783924b7e1d6773a829cdf099dc4a97b12c905
SHA2569f110089ad432e91ed2eb0e4e758f8c038fb29a5e3ddaeed4cc2a54c4ecc3da8
SHA51269c6860a49f1f5bddaad78c333c0daf82bf1267cdc57a55deb1f828e683663be7efecf2bd0cd1371e3802744e9836fcbc1fbcd233925dc98df98288e4ef934a2
-
Filesize
4KB
MD53a9d349e94bf8d041fe13a9f98e7f6f5
SHA121188b97bdbdaa5d3da73f34fc2d0ea256da7139
SHA256ea1cceb18b28d80c5f39f0395e4f13085ea3ca02120c918e1b109e0782230db4
SHA5124b68d5f1f9607fc0f0e492d591e161f1b4a06c264a43120ffee4f9fdefec8edf85f1ea8fbec48db047b54fc1464c780558201e04ead4f106b6d08cb9017cfec7
-
Filesize
10KB
MD51ae5e30e4feda638c75c95598db2432a
SHA1b81179467981e07be338cac0e561eea885ec5890
SHA2563d894c9d499093d2b1175b8afe088c807d00925b4d63c68b0a47c86fc275d1cd
SHA512d1ef6e140d511f8eaf12bbb1a9ab857ede6a958a7cb5e71961e35d7323b7e2084450d5e38bd452d6bc401535050896ecc5689d4630c6d1b16a7e3514a9984f5d