Malware Analysis Report

2024-11-30 11:43

Sample ID 240223-c54hqaab5t
Target 2024-02-23_9413646e0b2c875420777060c63ae83e_darkside
SHA256 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2da975fee507060baa1042fb45e8467579abf3f348f1fd37b86bb742db63438a

Threat Level: Known bad

The file 2024-02-23_9413646e0b2c875420777060c63ae83e_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (340) files with added filename extension

Renames multiple (620) files with added filename extension

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 02:40

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 02:40

Reported

2024-02-23 02:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe"

Signatures

Renames multiple (340) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\3765.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\3765.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WjbIleM3b C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WjbIleM3b\ = "WjbIleM3b" C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b\DefaultIcon\ = "C:\\ProgramData\\WjbIleM3b.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe"

C:\ProgramData\3765.tmp

"C:\ProgramData\3765.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3765.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2336-0-0x0000000000120000-0x0000000000160000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

MD5 036a8578713871c8d66f6c58f9782b15
SHA1 1a51e75f328f0c57d1939f14c559861f3ffcc6c0
SHA256 c1becd98a57daa1a14c615e75c4a3a41da3880ad6e062e76270dd47141f503ff
SHA512 1f1ed913218d89136b364a1febad1cb1bbe91cf770f1a04a485441596b52f40a93d19f31d50947850e7a15cb693694a446c0433034eccbf762b091892bbbfb46

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

MD5 c0226d2008684f950bdf5e85a8d7d8e1
SHA1 c68fc1653dd73e9ff25f0e3442556c8cbd9026f5
SHA256 e6462158874052859ca8a3f647d3d53a076aeb4063bb9a2a2fd741453529fd72
SHA512 56c9cc3ac65c2acdeb891240b24efe95cd38614efcd8c12c202620215e69dc72ad30cf59660b9c71f5a9fd1d62b809488699e4bc274768312fc6616a89baa4c9

C:\WjbIleM3b.README.txt

MD5 c92f5e29ac8e5bc54f43ffe35c4ef64c
SHA1 d5cb4d09bfaced13c295021664ef07394e2db67b
SHA256 4a6ab2d76ff034dcd462196b12d9a7f27c9fbb05cf71de887c383d2d73952cc9
SHA512 be92134d7fae886c8c8e7ad8c5eebc6d75dac0316c701237ac22a1d3dc71e931b5b3a45c1326d30dfa4be3009217ce89b42914deab36e010883df68bea6540c3

\ProgramData\3765.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1188-864-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1188-865-0x0000000000340000-0x0000000000380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 f0067144257d901bf747104c5bd05e3c
SHA1 94e954ac474c1b88eb788d0754d5cb75f1f778b7
SHA256 311df175226349b92529e8eac2b4b201346c30a29ba9a26fa2735b9dac281b31
SHA512 9da523a58bb59cef06cdc5c0622506f96604629b76af0998e1464fbea4f36bb8cd7bd9814923f50aed5e1e35a4e43bc36a84976b8e847a6eea153fd5a36d869d

memory/1188-872-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1188-870-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1188-869-0x0000000000340000-0x0000000000380000-memory.dmp

memory/1188-898-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1188-897-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 02:40

Reported

2024-02-23 02:43

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe"

Signatures

Renames multiple (620) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation C:\ProgramData\739B.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\739B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\739B.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1712835645-2080934712-2142796781-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1712835645-2080934712-2142796781-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPw4b6_8v470rzyr1cjqcmibh5b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPj02qza13v51rdfjab1l086pmc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPrsacm4rj1zofq0g9osd0cv10b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WjbIleM3b C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WjbIleM3b\ = "WjbIleM3b" C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WjbIleM3b\DefaultIcon\ = "C:\\ProgramData\\WjbIleM3b.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4652 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\Windows\splwow64.exe
PID 4652 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\Windows\splwow64.exe
PID 4652 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\ProgramData\739B.tmp
PID 4652 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\ProgramData\739B.tmp
PID 4652 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\ProgramData\739B.tmp
PID 4652 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe C:\ProgramData\739B.tmp
PID 4356 wrote to memory of 3608 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4356 wrote to memory of 3608 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 1388 wrote to memory of 5048 N/A C:\ProgramData\739B.tmp C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 5048 N/A C:\ProgramData\739B.tmp C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 5048 N/A C:\ProgramData\739B.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-23_9413646e0b2c875420777060c63ae83e_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\ProgramData\739B.tmp

"C:\ProgramData\739B.tmp"

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B782C02A-3DC5-4B3D-947B-7F246406606E}.xps" 133531296387510000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\739B.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4652-0-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/4652-1-0x0000000000F80000-0x0000000000F90000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1712835645-2080934712-2142796781-1000\desktop.ini

MD5 e874204b2b5281b2c189f841b395f1c2
SHA1 51c3dbbd6c6cb0ca842d6f52d9e622d0f46b77d7
SHA256 30191f636310a9f298149e8609a9e028609bfafe4b60f2e40cd49fbec95a966b
SHA512 3e19cecaf592cbad8bb317fdda1b02e23d4eda116b90fbd6b6082d490674d25284a443aa7cafe9f1d791418dc1eafb53eccd5adfa4f391e1640a80caef9dcc41

F:\$RECYCLE.BIN\S-1-5-21-1712835645-2080934712-2142796781-1000\DDDDDDDDDDD

MD5 e4c7b10cf2f518dcdd5f927fb55ab2dd
SHA1 53aad785da7c521a540a3b4bb81970b6b8fdce67
SHA256 a4ab4e128a9e3bc2e6170979e960a2340edc20e0a1ba878a72dd7eee4168163d
SHA512 722177badb8b47e65f7071830921d173032b942a3ea4da23faf9a0405fd0a6b267250b25e61a036e29bf0c2e24ef0175be13f687c69bcd401950b79bdc39a101

C:\WjbIleM3b.README.txt

MD5 c92f5e29ac8e5bc54f43ffe35c4ef64c
SHA1 d5cb4d09bfaced13c295021664ef07394e2db67b
SHA256 4a6ab2d76ff034dcd462196b12d9a7f27c9fbb05cf71de887c383d2d73952cc9
SHA512 be92134d7fae886c8c8e7ad8c5eebc6d75dac0316c701237ac22a1d3dc71e931b5b3a45c1326d30dfa4be3009217ce89b42914deab36e010883df68bea6540c3

C:\ProgramData\739B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1388-2786-0x00000000005A0000-0x00000000005B0000-memory.dmp

memory/1388-2787-0x00000000005A0000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 1e1f64d807d7ec225057a672116649fc
SHA1 d3d500770ca30b2c592b89152ce5d1bc673c9236
SHA256 b319af0304630b34669e41385a2b5a75a87251402944302cabd7171ab763b44d
SHA512 4e25b5be85179e8dfa58cc9a1a8b7f0566e777ce794f3a2c876a153a8b2a3700077d1fef1b53b3f4da81c9c1688a7c94564041e89ecc5edec87eb5ecc95c0d89

memory/1388-2817-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/1388-2798-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1388-2785-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1388-2818-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/1388-2820-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/3608-2829-0x00007FFBB9250000-0x00007FFBB9260000-memory.dmp

memory/3608-2830-0x00007FFBB9250000-0x00007FFBB9260000-memory.dmp

memory/3608-2832-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2833-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2835-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2834-0x00007FFBB9250000-0x00007FFBB9260000-memory.dmp

memory/3608-2837-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2836-0x00007FFBB9250000-0x00007FFBB9260000-memory.dmp

memory/3608-2838-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2831-0x00007FFBB9250000-0x00007FFBB9260000-memory.dmp

memory/3608-2840-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2839-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2842-0x00007FFBB6BF0000-0x00007FFBB6C00000-memory.dmp

memory/3608-2841-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2843-0x00007FFBB6BF0000-0x00007FFBB6C00000-memory.dmp

memory/3608-2844-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2845-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2846-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2847-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2848-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2849-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2850-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2851-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{0EF3F5F4-A3A8-48E7-AC12-1F153653C662}

MD5 a77c7fb17a4b8ba0f0019dcb58962a63
SHA1 e7ee0c48db1883e38d9cfe4874f8062891892275
SHA256 abebd98fc2982c6ce3514be18e7d0cae17e95c634c064bbf0fff7189c1306ed4
SHA512 8eead8bd4c6889afe39ad9d7503a6a619c9dc564824ebe724bcbc4d3dee25c069729017778e9563c652e8f0158d4bcebea332810e3f2921be7a9306128121571

memory/3608-2868-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp

memory/3608-2869-0x00007FFBF91D0000-0x00007FFBF93C5000-memory.dmp