Malware Analysis Report

2024-11-30 11:30

Sample ID 240126-e4cpqafcdp
Target 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside
SHA256 6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75
Tags
lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75

Threat Level: Known bad

The file 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 04:29

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 04:29

Reported

2024-01-26 04:32

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\ProgramData\C927.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\C927.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\C927.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

C:\ProgramData\C927.tmp

"C:\ProgramData\C927.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C927.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4400-1-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/4400-0-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/4400-2-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\AAAAAAAAAAA

MD5 47270b2b04fad838c11e8e95b8ae99d5
SHA1 11022e59f7e4a5ae1b18c9a598e079ad41b447bf
SHA256 724412f9668a929acd59b2d6a32374153fc73d8a9c81a6e4a4255911476f1bdc
SHA512 0717880ed09898c9a0c67d9f08aac96c151ff4b2f4a573a2bfc3f23d208595b1c16357c538bff696e83b4d56037a8273c868511fdfab12b28e9525c82a63aeaa

F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\DDDDDDDDDDD

MD5 054ad2ec93d5fff2a89889b36d4beb55
SHA1 a253029b0a5a018733ca5fe525acaac02c35cdf1
SHA256 656586481fa9f72e729bbc7b69c3708a261962006eecc00134e81fc11e135b42
SHA512 c847580179237cdbbadb0b85559267d4737e1e1b3f20bcbec9aa183c8761a10acdce21a558d7d2e1b4d6c5a0ee49d8f75666179340c2de25503d93f0354b4ecb

C:\vF1vX3MgT.README.txt

MD5 81a4e6c6fa7b9a1c296450f6b9add683
SHA1 9ef09d4e1ea37f015b178a9f1b13142e1ec1f750
SHA256 e2d62b963f27a08e8baab24db85dc0857b98ae29457fd89e09904617fd136dba
SHA512 51c95a5357efde2e0d3c21f6b634e03047efd13d2c5e13570c38c43ac3171e2ca15bc2919f093032f346b0838b695f5ed9f4d479e5205dd90b411516ce04860b

memory/4400-110-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/4400-111-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/4400-112-0x0000000000FF0000-0x0000000001000000-memory.dmp

C:\ProgramData\C927.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2516-117-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2516-118-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2516-119-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2516-120-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2516-121-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 3c755aa3c75c28b94bd406e50dfadc77
SHA1 39a8a1383d4292bab9878113999237a4576bc67d
SHA256 1517c16d0e83e86e712f736cffbfb0038ca603088fcdfa11cb15175141f87e7d
SHA512 825f4f84edd5e3b901033b1d57d9b393d348689ded0cf57ff8a412b542437eb0c966139cf41c748cce4b291510a02d405a27a5ddbed483a1fb2a23a2c1ebdc1e

memory/2516-150-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/2516-151-0x000000007FE00000-0x000000007FE01000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 04:29

Reported

2024-01-26 04:31

Platform

win7-20231215-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\1822.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\1822.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

C:\ProgramData\1822.tmp

"C:\ProgramData\1822.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1822.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x148

Network

N/A

Files

memory/2496-0-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini

MD5 e4edb58eecc035441deb3ba9150386a6
SHA1 8763b43f5ed1963ab7f22d5457a3b6608e19fd29
SHA256 4d421f61d287c2cc33ae3ddac93db2789335fc00adb2bc063afd0a204ecfdf92
SHA512 96b303ddcd302fb2e1ae949609b2bd7592c315421a87370e1291f9a7ea1b1ff908c0099e2bfa75bc9f67ee685cc5e800533d5d01100ff5a61de7716309761b9a

F:\$RECYCLE.BIN\S-1-5-21-3818056530-936619650-3554021955-1000\DDDDDDDDDDD

MD5 b775aeecc7cbdc25835ea12755270ca1
SHA1 6bdd56a0433d2b132a8e0f17bfcb04681020fc04
SHA256 5a0798fa947980e6bd8d61f90a223836bfe5406151d59fa1fef05ddcde3e3469
SHA512 3e22dd71da9d86d7e0d423eca4beadba4347ee449e327c913c5007c74110a43c60a77f38eb64e4dbe2e2757898ea13657812be4ef1611e3486e7bf27d209b10c

C:\ProgramData\1822.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2184-113-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2184-111-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2184-110-0x00000000021E0000-0x0000000002220000-memory.dmp

memory/2184-108-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2184-114-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 727d3f29e6adb4146d4bb2da56ebb383
SHA1 4d1ab6872b780b233207b50ed26d9112272a86b4
SHA256 ddc96749536db80ffb9d5362481f6c2018189eff5cd6a866ddb9cbed600d6ca9
SHA512 bc2114a79cb06862bce5a49f25258385f07e0fd286ce50404ee63046fb38d39982a21df6f13ee98319c340d3a036dae932c6972f8bea58fbca60fad0cc3822a0

memory/2184-142-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2184-143-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2184-144-0x0000000000400000-0x0000000000407000-memory.dmp