Malware Analysis Report

2024-11-15 07:21

Sample ID 240311-y8sraadd8z
Target 2024-03-11_52d4594deedeb91119fe521913a00d63_darkside
SHA256 74090a22f4713933e21739eb08a99705407554ff204201829894ab38405644f6
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74090a22f4713933e21739eb08a99705407554ff204201829894ab38405644f6

Threat Level: Known bad

The file 2024-03-11_52d4594deedeb91119fe521913a00d63_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (577) files with added filename extension

Renames multiple (309) files with added filename extension

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 20:27

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 20:27

Reported

2024-03-11 20:30

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe"

Signatures

Renames multiple (309) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\ADBD.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ADBD.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\QO5k5RIUs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\QO5k5RIUs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\ADBD.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.QO5k5RIUs C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.QO5k5RIUs\ = "QO5k5RIUs" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs\DefaultIcon\ = "C:\\ProgramData\\QO5k5RIUs.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe"

C:\ProgramData\ADBD.tmp

"C:\ProgramData\ADBD.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ADBD.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/1280-0-0x0000000002570000-0x00000000025B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\AAAAAAAAAAA

MD5 25a5336cc15fb97f653b21b3c06f9aee
SHA1 1183160f8ebb78a3ea8ece37613918eaf9eadc41
SHA256 a7312a3547ec6597d45b778b6b28395d65df20b203d4330aad77bc82eb65d0d8
SHA512 ddb7e18ec49ebaf30aea5f434018975826b6d9b857f14d97c49bbcb52228f684a550f007c71c79786414941f8038915e161bcdee1da61e4a3e7f4ac063d667ec

C:\QO5k5RIUs.README.txt

MD5 d88d24ad3ac8d220a30a8b462a7622c0
SHA1 5729a91443332a63606ab87fc02f3768da0a7cd9
SHA256 572c02968998b39d6d3be98b7f3d27aae304173e9dea67748b2ae105147411e9
SHA512 913fa11d10c3bebc8989907415a5fd151574e44a7ca7cef610f1a6b60eab4206724cd528fb40f8d708b62c6edf16cc000fd7cb7259ffe66bd2151765d493e218

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

MD5 2e281498c382d65364715144241c9e71
SHA1 a97b9690786ba65f3dc527f6b6d73cf2cf444a3c
SHA256 b271bed9e5c6694150b88720afa85f401932249dbd17e6aebfd7a285960bba03
SHA512 1250dc3a6d82cf869127119574eaf96fe870c85d352ab2a95a167dd9872adced721a96270df2fc1e5e957e7e0a7944eef858d4f4b150e90ebc98b3fc9f21ca99

\ProgramData\ADBD.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1948-827-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 e472d5865affc408e408cc601d137e4f
SHA1 870ed83820852edde375e97beb0873da32b4faae
SHA256 f1fe56b9867f25f21aa5f126ad8cd4c130b567c2bb89bb969683124eb11cde16
SHA512 96ef45c708567f1f23ed95f22c5ba436cae7a932f539e30135e54d00562fa55bf3d08050eaf1f21e4876e6bfde64cea530f5a1601d71d6a26145df1add1e51a2

memory/1948-835-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1948-834-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1948-833-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/1948-828-0x0000000001FE0000-0x0000000002020000-memory.dmp

memory/1948-860-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1948-861-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 20:27

Reported

2024-03-11 20:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe"

Signatures

Renames multiple (577) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\ProgramData\5488.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\5488.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\5488.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\QO5k5RIUs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\QO5k5RIUs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\5488.tmp N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.QO5k5RIUs C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.QO5k5RIUs\ = "QO5k5RIUs" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QO5k5RIUs\DefaultIcon\ = "C:\\ProgramData\\QO5k5RIUs.ico" C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-11_52d4594deedeb91119fe521913a00d63_darkside.exe"

C:\ProgramData\5488.tmp

"C:\ProgramData\5488.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5488.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 37.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 159.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 32.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2112-0-0x0000000001190000-0x00000000011A0000-memory.dmp

memory/2112-2-0x0000000001190000-0x00000000011A0000-memory.dmp

memory/2112-1-0x0000000001190000-0x00000000011A0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\VVVVVVVVVVV

MD5 b0ba0c215c2801a48a5fe72f03f522df
SHA1 740ae90be98edcb6678a282f364d183577f49a4e
SHA256 722659c5cd315a48d64f326d427515b285ff480e5400dcbb5a9c45c9907a6cee
SHA512 0d47b6cb66ccc0b6b514dda66abd92d2f5bb0d2f43e5547b4071dfaaedde269f77800b5044b18fd37fa1957c840c1d6903c5368ef759ad47a3f06b48e3f0087a

C:\QO5k5RIUs.README.txt

MD5 969eefd53ce46f724b4c45f426b28f70
SHA1 cc626fa772b4b79af2cebe56cfb4cbef63d31544
SHA256 c2431ae1310671c5c7e13d005e0b9c53f17bafa31fe2d75f6bd645f7deeb01b1
SHA512 85f745c97e569e3b8afcb2547bb6b47b05345bb2d2bf8874c67e873f412a1be95ab46264db030856b959309efb9cc31dbca227eaa80cfa68d8e7a0d74aff72b8

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\DDDDDDDDDDD

MD5 ef8198f13e7836e22c2a394984d95d8b
SHA1 2abf24245c0a3fbffff1aece224c3e701f6b7907
SHA256 2a366cad9969f32877230598cf5d4a865722fca161cd6d540fed5a4d7fbd003f
SHA512 1514f23728436c8fcaea875cdd667b9b88537a8e73308be0100a8b51e3dcdd92f5ac3beedea9ebf2de9a9989f7480e062cb0866f2cfe3f470ecec46e0dc6d786

C:\ProgramData\5488.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1320-2731-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1320-2732-0x0000000002470000-0x0000000002480000-memory.dmp

memory/1320-2733-0x0000000002470000-0x0000000002480000-memory.dmp

memory/1320-2734-0x000000007FE20000-0x000000007FE21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 d31ed902e8f83cb80f4f63b21767680f
SHA1 70c3e53964f179247e12564b1025b9d6f07f517b
SHA256 713135b6817cb131443f0acd6fc961aad7345b53b8a28f4f0024f4b792151b57
SHA512 f4acceadc692b959a4ead197b14bd72e5bae7afc663d48d07e7c9a47b4894cc1fd5c5c0de7f742cbdf3167c82b737f8dbb61fa2885bf08356df1e74e507ae448

memory/1320-2735-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/1320-2764-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/1320-2765-0x000000007FE00000-0x000000007FE01000-memory.dmp