Malware Analysis Report

2024-11-30 11:30

Sample ID 240226-tywyqsae55
Target 2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside
SHA256 a340d3ddacb9a9890f94c995510611099a682cf482323b6fd9922c2311c93782
Tags
ransomware spyware stealer lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a340d3ddacb9a9890f94c995510611099a682cf482323b6fd9922c2311c93782

Threat Level: Known bad

The file 2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (360) files with added filename extension

Renames multiple (579) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 16:28

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 16:28

Reported

2024-02-26 16:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe"

Signatures

Renames multiple (360) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\8057.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\8057.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe"

C:\ProgramData\8057.tmp

"C:\ProgramData\8057.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8057.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2496-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini

MD5 8226a7720e70c6ffb1132e46d9a64492
SHA1 f9a839e9213748f7598a55e2f06e816779a37892
SHA256 91f6caa90a6821ad772b2be1e55010be54f0fa0bafafeabe64923eede48fae61
SHA512 0de5d84106c97106a98d10d3a9e4d3f672500f9f79c88e5724a1092a79f6f1e0cde3c9d0d426b962fcc15d656c935837515a7e008610cb46db4321a9b0663770

C:\5HUsXQO5d.README.txt

MD5 0691c93bf51c396dfff8351e9907f1bb
SHA1 786e6b4c1c8e1dc4e1034b4cf325bfde5a5e6703
SHA256 3279518fd767bc4a69524d53f8a61578c26ed349f27d7e51d3499b2025733719
SHA512 a5db8315ae398cdfa8df5717896ca236dffe99758855c7e4f4c9793a68d75917dd49a248cda01999bdab59c360ea8bdf8d6e2301a2ff417f8111bd4c8bfb8cee

F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\HHHHHHHHHHH

MD5 56e7e304bbf648b77b3a679b4b3f3c85
SHA1 b1d67b5fe179aeb0f6405e8c7f1d1819bd48fe61
SHA256 9a26d7e514f958beb1d8c973390c2409aaab9ea3d79f5b90ea8948ceda0e84fc
SHA512 373b903e5fa2609b0b917dd3b00f6df5278704940addcd748ad0b28416e896e2449d964bb19e6779fa50e9c57bc8d4dc85d3c288d0acb294031d15c74fc8210d

\ProgramData\8057.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1008-882-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1008-884-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1008-885-0x0000000002330000-0x0000000002370000-memory.dmp

memory/1008-890-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1008-887-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 0ab1224aab60b27f8ddc08692c05cc91
SHA1 88d6d07f8dd339b60850481d488fe001039782e5
SHA256 4da5f8705c97825b4d82e3fce1f1464c5a02ae51b02daaa143a997b18afc9597
SHA512 21e330dadce6d75b4a59a2b03650c410d0219ff242d9edab9e6e64f4922b5ce9c53bcc3c4e80cc37a69e47d2fdd33673be3959fe44945516bf5f340e2e879090

memory/1008-916-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1008-917-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1008-918-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 16:28

Reported

2024-02-26 16:31

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe"

Signatures

Renames multiple (579) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation C:\ProgramData\54B.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\54B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\54B.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP9tuslyxj14uq5_mpj3n29g2rd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPco1v6snn5aizt7hihfcefwgde.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPp87xmstzlazpg7l0gfvsqmxvc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\Windows\splwow64.exe
PID 4764 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\Windows\splwow64.exe
PID 2132 wrote to memory of 2740 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 2132 wrote to memory of 2740 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4764 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\ProgramData\54B.tmp
PID 4764 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\ProgramData\54B.tmp
PID 4764 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\ProgramData\54B.tmp
PID 4764 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe C:\ProgramData\54B.tmp
PID 3720 wrote to memory of 4916 N/A C:\ProgramData\54B.tmp C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 4916 N/A C:\ProgramData\54B.tmp C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 4916 N/A C:\ProgramData\54B.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-26_2cfd21f10de8f364adb52547229cb26d_darkside.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{162033E9-D0C9-4678-BB66-ED7F52D9635C}.xps" 133534385438560000

C:\ProgramData\54B.tmp

"C:\ProgramData\54B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\54B.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/4764-1-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/4764-2-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/4764-0-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1414748551-1520717498-2956787782-1000\desktop.ini

MD5 b0c26fb73dd3c3ed42410cbdf5133456
SHA1 10bcbf243202a58e0e0f1070699dfda1b444e0c4
SHA256 a76ed906bd51fc143fba8bd16316c7c9592bcf0ca9ad8b1f22da03e4bfc694e3
SHA512 c87aec55d84f8a81c17a9864b86b8e26b8d12ef3f5e96d3b78b917e0a3b991e86d010886ebcf9a2f3746e2e80c3cd5828a228e483ba12937d455b5a629ff624f

F:\$RECYCLE.BIN\S-1-5-21-1414748551-1520717498-2956787782-1000\DDDDDDDDDDD

MD5 71f9fe0689336d216dc6c39193cf2462
SHA1 b9e994d7111c98da0da7eb64070b08eb96e7c72e
SHA256 1d15e95c511680252b741745d29adff6e8c2e8ff6b17424ec83960e4669486c8
SHA512 f583cfc76c0110738a7993f4538b54737adb399ddd206a89bfe43d83af494440fba06b3f0ce2962f0d51f0e7c8e30999e6738cb8404965a7c12a4685ff014976

C:\5HUsXQO5d.README.txt

MD5 152b58233860e7cdbb05c6a5103212b1
SHA1 276c6ff2ed1d28a29a935569311f0ded096d6d37
SHA256 bed3d9257c2d7b33fb9cc9a750d51a7c85222e7567793bf30b8aa0554b459f11
SHA512 e3d4420922e4674916ba473982bebb86f83c9caf991b494f0b2c30c3d638dd60675847a065ec593ef98ba91482f247de1fdc043139f585b831addecc838a8b4e

memory/4764-2739-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/4764-2740-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/4764-2741-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/2740-2753-0x00007FFBCEC30000-0x00007FFBCEC40000-memory.dmp

C:\ProgramData\54B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2740-2755-0x00007FFBCEC30000-0x00007FFBCEC40000-memory.dmp

memory/2740-2758-0x00007FFBCEC30000-0x00007FFBCEC40000-memory.dmp

memory/2740-2760-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2759-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2761-0x00007FFBCEC30000-0x00007FFBCEC40000-memory.dmp

memory/2740-2762-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2763-0x00007FFBCEC30000-0x00007FFBCEC40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 268581cdc3c5909c2eb70a3024613655
SHA1 3870ca8e924e181d0a46bcf83261d53eec1ac1e2
SHA256 05906e54b270417921435312d3f4a63b311aba66e8949da51c27ab7913976cfa
SHA512 b0c2e6e7a187f69a63bc783199d73922741c62fab6394e43de171d16a0eb3502bb3054c69b6e4ef2d1f1acaade1a2fed9217f1ba10852cd50b097120ae1962eb

memory/2740-2764-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2793-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2794-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2796-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2795-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2797-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2799-0x00007FFBCC760000-0x00007FFBCC770000-memory.dmp

memory/2740-2798-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2800-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2801-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2802-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2803-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2805-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/3720-2806-0x0000000002360000-0x0000000002370000-memory.dmp

memory/3720-2808-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/3720-2807-0x0000000002360000-0x0000000002370000-memory.dmp

memory/3720-2809-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/2740-2804-0x00007FFBCC760000-0x00007FFBCC770000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 70a9f183327a03c5a46cdb653f1eda4a
SHA1 1a5b71381e19e50ce1217d22fe1c41210d09e10d
SHA256 929e7df02078606d45c4746e7333004c27dcce50a59f62765283789d6639b351
SHA512 6750f34f2206c4e23bdd9d679d7d737cbe6e76625953ee273ed6511b1c320b2ff2f15dae0b5b2bf521c37009361274bf2f573be97a287cdc286c3a1fd1c3368b

memory/2740-2828-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/2740-2829-0x00007FFC0EBB0000-0x00007FFC0EDA5000-memory.dmp

memory/3720-2830-0x000000007FDC0000-0x000000007FDC1000-memory.dmp