Malware Analysis Report

2024-11-30 11:30

Sample ID 240226-jd6mbsgf3z
Target 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside
SHA256 6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75
Tags
lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fcee00c908b40aac5a7e50007f485fc35ebfbdc2ae6a6d5e0a1f37636caca75

Threat Level: Known bad

The file 2024-01-26_6a801424860b7e86639254592bbc84b1_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 07:34

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 07:34

Reported

2024-02-26 07:44

Platform

win7-20240221-en

Max time kernel

370s

Max time network

365s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\6690.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\6690.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

C:\ProgramData\6690.tmp

"C:\ProgramData\6690.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6690.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/1992-0-0x0000000002440000-0x0000000002480000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini

MD5 119f0c033aebfcd17d6621b789a0ec45
SHA1 6c6dfc43474de97406152b7bdf7a52c91d13f465
SHA256 ad7b2997a70aa6c475667897845ea895fc0f28113ca52ec29aaddb63d617e585
SHA512 4a123a9d63d8d7bcc5535f97f42b5ddaa2b750b8a10bf6da8e6b14fc8c1875ceb5cf06365c5c263e3c54a12fdccbad9cd0abd9e169e4168742a2d984962801cc

F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\DDDDDDDDDDD

MD5 c9401ac32dbee9ed7a2f3099ac9be234
SHA1 557fdeefba7c8c8e717d938e1caf303af8268eaf
SHA256 992171b188dd3f13c434be9c11fd6dffc19c3d30a8d6ba17d9f9fe8f2b0a3c4d
SHA512 bf821c06055d783cc15f68d49a090561512cc1ff85030520346f36ed8977f46c02d171d250c2c9a593c0ad015d5ade9d84ee6dc5e47a8298da4a620a40ac1e16

\ProgramData\6690.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1932-111-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1932-110-0x0000000002180000-0x00000000021C0000-memory.dmp

memory/1932-109-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1932-112-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 0404a5e9786d26d6ca43ca85a29283fb
SHA1 4d129ab61059da2423e4effa73ddaca040b700b5
SHA256 497c221b682fa2d0caa9d4a082ecd6a8b95f19cfe254cebcabbb2e8f4f41b81a
SHA512 8398e89a5a39fa276a24e51ad27b8011582e95754399cfb740ae90ddaaa7737520cd5cbd4765c47ad186884f9e1de1c21906226bebe0ab6847a08fd247b53ad8

memory/1932-141-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1932-142-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 07:34

Reported

2024-02-26 07:44

Platform

win10v2004-20240221-en

Max time kernel

447s

Max time network

452s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation C:\ProgramData\83A7.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\83A7.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\83A7.tmp N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3054445511-921769590-4013668107-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3054445511-921769590-4013668107-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-01-26_6a801424860b7e86639254592bbc84b1_darkside.exe"

C:\ProgramData\83A7.tmp

"C:\ProgramData\83A7.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\83A7.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/972-0-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/972-1-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/972-2-0x0000000002A20000-0x0000000002A30000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3054445511-921769590-4013668107-1000\GGGGGGGGGGG

MD5 1a9b60dcda63449d11f649cb9a175020
SHA1 2dd0b9a18d17a4fa6c34174505cb0d5c44b3ec05
SHA256 9b73023051d2374c23acf6c205620038b456e057e4e066d95a6babe6ffec46ea
SHA512 7e2585463e319cf5dc17351b6d4cdd3e1bcc9a43cbb4ca9fa0df2a42123f209adc5ea4176a2d65725102f710c055d13cfdbd6a04e848a568c2551d734069f5f3

F:\$RECYCLE.BIN\S-1-5-21-3054445511-921769590-4013668107-1000\DDDDDDDDDDD

MD5 11cee5d64078372ed5dc9476f7458ef9
SHA1 a925888b6fb150d52d43258cb4d1789d489bf66f
SHA256 6c1de50ba854c885d17abc5baf913cd7ae8b1a46b695f9ad69de53f011301880
SHA512 3e5b061339a9cb3fa4a5e7b46ca017d425cbe6f9f9c4a8b38a9e3e4e72c02b71e9d15dcf9c8f58fdab3d98b550d0f49103171de6185f6908d78683a11eed1cda

C:\vF1vX3MgT.README.txt

MD5 81a4e6c6fa7b9a1c296450f6b9add683
SHA1 9ef09d4e1ea37f015b178a9f1b13142e1ec1f750
SHA256 e2d62b963f27a08e8baab24db85dc0857b98ae29457fd89e09904617fd136dba
SHA512 51c95a5357efde2e0d3c21f6b634e03047efd13d2c5e13570c38c43ac3171e2ca15bc2919f093032f346b0838b695f5ed9f4d479e5205dd90b411516ce04860b

C:\ProgramData\83A7.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/3872-114-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/3872-115-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/3872-116-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/3872-117-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3872-118-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 acf9f94faa1396797f19979c7785f379
SHA1 2809188fe9cd307a201fbc3205fde1446f4babfd
SHA256 ae7ae401197e2d902c1177ed40d1eb73d79f90ee6c6bb697e3f1fb26aac9fedd
SHA512 822230db631a18382ef7fca98bab5f554285a2d7661661978d88bd7be1cc007696be3d930831687a6e1db86c9e9b9d54238cb06c8ceb6cb7c7686372e947b8ea

memory/3872-147-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/3872-148-0x000000007FE00000-0x000000007FE01000-memory.dmp