Malware Analysis Report

2024-11-30 11:30

Sample ID 240228-1fnyqsee54
Target 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside
SHA256 2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
Tags
ransomware spyware stealer lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299

Threat Level: Known bad

The file 2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (315) files with added filename extension

Renames multiple (602) files with added filename extension

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 21:35

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 21:35

Reported

2024-02-28 21:38

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"

Signatures

Renames multiple (315) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\F8B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\F8B.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"

C:\ProgramData\F8B.tmp

"C:\ProgramData\F8B.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F8B.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

Country Destination Domain Proto
US 8.8.8.8:53 test.white-datasheet.com udp

Files

memory/2856-0-0x00000000002B0000-0x00000000002F0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini

MD5 426b2519ac1b22e81791909ed84eb632
SHA1 23ad5b742b9dd3f95b6943ffef7c30cecb0c6428
SHA256 a1c8fe4f3167748b96997788927aa954513d4f74468575fef354f6a6bd6229d5
SHA512 7ec51ea80436e413da1e3f5dbc43aaeecdcb0ffa778a17599e4b4d8116fb862bf14c8a2abca8e480155d2f6cf7a8a76c85aecd06babec04991ba0d0c9cdbd247

C:\mstH2C7Dr.README.txt

MD5 8c18a803789289f6d0638e893e2803d8
SHA1 8b40d4e8bda8c99612bd6f91fd901d3547440169
SHA256 c179a92fd5952fe4216c4508134702353fb6b5838a96bd794cc8b164d94328c2
SHA512 0e0c90679eabd07774e9a7a103284de28406afcdc71e71e4630b757c5c59ac62d2a8284cfceac1c6916ac7956fcd6df6fc1adb2238aa5e023bcef280ff34e68b

F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\DDDDDDDDDDD

MD5 904eb685c0445850071e3d010b410197
SHA1 aeba1473b534af10b2dac9f0574ab36f513739c4
SHA256 9506e02b2e52ec232994b8c875b0b7c31048f3de42396ef1f582d1b823b59cd3
SHA512 10a23917846b876e1fb42b0f73313e5cac5487e8384c699d2292b831f514dc39208c35959c5cc87e4c7a2d683b381aa2ce4258584355e7eb26eb213159adfa77

\ProgramData\F8B.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1392-834-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/1392-833-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1392-836-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1392-838-0x000000007EF20000-0x000000007EF21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 532ede80a0f734352ae0981d516d6f38
SHA1 c190b21153b3253a82a8e1d23443c0521f556c28
SHA256 e547608868f67ff69c5c9267461260436dc3026da1b20fa173bfb889120de8e3
SHA512 e4a682347ff702cd365de58c3d0486bc0c15920a49a3b7f92984ed9693e587657580dff3406045fb3556604f7ead85a43576c02cb94ac15783de5047b3d6a2f3

memory/1392-866-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1392-865-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 21:35

Reported

2024-02-28 21:38

Platform

win10v2004-20240226-en

Max time kernel

170s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"

Signatures

Renames multiple (602) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\ProgramData\FCA6.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\FCA6.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\FCA6.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"

C:\ProgramData\FCA6.tmp

"C:\ProgramData\FCA6.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\FCA6.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 test.white-datasheet.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 test.white-datasheet.com udp

Files

memory/2788-0-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2788-1-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2788-2-0x0000000000610000-0x0000000000620000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\OOOOOOOOOOO

MD5 423848a59ff75d9f7a11d1eff0e0742e
SHA1 b3dff1c2083049c97ecd659fd3c069477d84a06e
SHA256 9a667ae938a796c4183489575692ccfc0f1cae6590f6a93d830c2c82d8dcf381
SHA512 38d890a3cca62381c890088f6064f644fa16db52e3efa7e24954c88c596f8e35a7309bceceaed9c7ae8aedde7fbd831df81f98278893baa632d834637435b270

C:\mstH2C7Dr.README.txt

MD5 bda0fcec4c45719ebfbbe6f5f6f8d037
SHA1 419725df268a8b1106c39d52d5ac99e1e7a3a14e
SHA256 e12452787866b6d4f85aa45a2341aa562aea832d05fa9dc4e6b524ccc8ec1251
SHA512 6ae3f2278052f9e376322112d8c1ebf8b458e95ff841a38c5a5c880aba41fc14b149ca9ab5ba71d60263504996dd414dd724046cca1bed29f0cf4db904223c08

F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\DDDDDDDDDDD

MD5 da62149dbd06a41dcd042480bbbf753e
SHA1 96ce6c0d762e42d4301a74114062052c4718e074
SHA256 7a3e08216fd5e9ffdb93a2977d4d0939c6e9fb7fdc330148cc97ae4c347c4434
SHA512 95449e928607fc5db983f0b1a228ff6f31b2de9687755a24b9808052a099cbeaa77e045529ff97c7fd1c7e416518e01d9d86c0833ea41ca1804003cdc679e618

memory/2788-2162-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2788-2163-0x0000000000610000-0x0000000000620000-memory.dmp

memory/2788-2164-0x0000000000610000-0x0000000000620000-memory.dmp

C:\ProgramData\FCA6.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2136-2763-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/2136-2764-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2136-2765-0x00000000026A0000-0x00000000026B0000-memory.dmp

memory/2136-2766-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/2136-2771-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 53b44ac7e6958c91f433001680ee3b8f
SHA1 8ad86a429f14d7f004785fed090e82714c7d6501
SHA256 c8803bf90bc92e64382ac9563a48501654622da5a8ef1a166df364fdea3d49ad
SHA512 9a42c1d4d8c10a747341650a1247efee2f7ab1b173c2950b482f2f576c6514f2a40f40932230139c31f7a8830c25d02a9e86faac9f4e6e05b373867e6c55af1f

memory/2136-2796-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/2136-2797-0x000000007FE00000-0x000000007FE01000-memory.dmp