darkside | a2c5641802ebce37fe3b84d87c9a1b2acd3556054a0dc8ed72139728c148a64a

Analysis

max time kernel
229s
max time network
231s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
08/04/2025, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddn/BDDarkSideDecryptor.exe
Size

9.5MB
MD5

cb1b67988c63e6e951be00b3eda7f74f
SHA1

049fff52f877516a756c6333d12b3c1c1cfbe519
SHA256

1a72fe563f588580440da34a03b1af3ba072e66404608c521b4adbcb034a33f6
SHA512

ef1d74da565026fef631f83dee70fafb661bea74cad69b70035f10700b733f64ce34b3308c0fee59222d1eb0767b87672f1f824ea923008c70a3e8be229ff289
SSDEEP

196608:IdJEHHWtwPlARRmtejsum3/DBekLV58IzN6+ZR62Wi:IbEn9PlAGMivDdjxNF762W

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\b98faef33da7484fae2c\README.1e2d78e0.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Ransom Note

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Ransom Note

Decryptor Started at Tue Apr 8 04:31:24 2025 This utility decrypts files encrypted by several versions of DarkSide ransomware. It can also decrypt files encrypted by the Linux version (with [.darkside] extension) This tool doesn't require internet access! Preparing decryption key ... Key ready! Sending init request. Done. Decrypt Files ... Sending finish request. Done. Total decrypted files: [0] Scan finished! Decryptor Started at Tue Apr 8 04:31:39 2025 This utility decrypts files encrypted by several versions of DarkSide ransomware. It can also decrypt files encrypted by the Linux version (with [.darkside] extension) This tool doesn't require internet access! Preparing decryption key ... Key ready! Sending init request.

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Darkside family
darkside
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3712238951-2226310826-298817577-1000\desktop.ini	BDDarkSideDecryptor.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	acer.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\04C32BD09F7A236FA821973AB934189B	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\04C32BD09F7A236FA821973AB934189B	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	acer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1e2d78e0.BMP"	acer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
5004	RemovalToolGUI.exe
1040	RemovalToolGUI.exe

Loads dropped DLL 4 IoCs

pid	Process
5004	RemovalToolGUI.exe
5004	RemovalToolGUI.exe
1040	RemovalToolGUI.exe
1040	RemovalToolGUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDDarkSideDecryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDDarkSideDecryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 22cdd8285eb36adfeb8a0e710a4406ed4e77c82ac634acc2ea1b1518f3d060ed	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 45af640b25b3d5cfffa4fdae8b5be13de46833c8a9c0f9249eb8a89d5f3c4206	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c76c9daf47c54cb96e470006d7aca61e2f45d986217f7dce91da56451f603af5	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = c2286e75f9b0523afeb8f59048dcb608c40758ab20b29d81d8d9e53d74704510	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = a060166689c1038c2fd7fb200fa90e3e4f8f50b5df9775226f7bdd57784f8c1b	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1e2d78e0.BMP"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	acer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d002e0062006c00660000000000	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 25226cace670f5f9a064d5de04f6d29360a44f68b763934dcc265e44d33ffb09	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 881dee1b5d782f2273e993b4a5f367ad22db622e170873a8a6832458a140949c	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 2dba82a98193665a98b2b76b5112172d69da96ee64463267acd03f992c5b5936	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 60090000f6a915cc3ea8db01	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d2c5b19955af94f5de975ac5cbf54c307f5e30f75840f26c4671ae4929e1d378	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3edfc2f6b92f5bba18011cca20c3daba28059d2eeb159b677c4914be329f3cb5	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	acer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1e2d78e0\ = "1e2d78e0"	acer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1e2d78e0\DefaultIcon	acer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\1e2d78e0	acer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\1e2d78e0\DefaultIcon\ = "C:\\ProgramData\\1e2d78e0.ico"	acer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1e2d78e0	acer.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
5132	acer.exe
5132	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe
2400	acer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3204	vssvc.exe
Token: SeRestorePrivilege	3204	vssvc.exe
Token: SeAuditPrivilege	3204	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1040	RemovalToolGUI.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1040	RemovalToolGUI.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5012	BDDarkSideDecryptor.exe
1040	RemovalToolGUI.exe
1040	RemovalToolGUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 5004	1548	BDDarkSideDecryptor.exe	82
PID 1548 wrote to memory of 5004	1548	BDDarkSideDecryptor.exe	82
PID 5440 wrote to memory of 5132	5440	acer.exe	94
PID 5440 wrote to memory of 5132	5440	acer.exe	94
PID 5440 wrote to memory of 5132	5440	acer.exe	94
PID 5440 wrote to memory of 5132	5440	acer.exe	94
PID 5132 wrote to memory of 2400	5132	acer.exe	98
PID 5132 wrote to memory of 2400	5132	acer.exe	98
PID 5132 wrote to memory of 2400	5132	acer.exe	98
PID 5132 wrote to memory of 1948	5132	acer.exe	100
PID 5132 wrote to memory of 1948	5132	acer.exe	100
PID 5132 wrote to memory of 1948	5132	acer.exe	100
PID 5012 wrote to memory of 1040	5012	BDDarkSideDecryptor.exe	104
PID 5012 wrote to memory of 1040	5012	BDDarkSideDecryptor.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe
"C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe
  C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\LockConvertFrom.vbs"
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:324

C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5440
- C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe
    C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe -work worker0 job0-5132
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe
    C:\Users\Admin\AppData\Local\Temp\Temp1_0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.zip\acer.exe -work worker1 job1-5132
    3⤵
    - Enumerates connected drives
    PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe
"C:\Users\Admin\AppData\Local\Temp\ddn\BDDarkSideDecryptor.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe
  C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4224

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1400

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5712

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-4-8.430.5712.1.odl

Filesize
706B

MD5
4a4901ed76705540be7472b98619945e

SHA1
b8fb5edb60d35f4d02ffc3abf27796b510681a6e

SHA256
1bce66122999bcb2fbeafab4af51a7ad4c3a90723c9ecb6ad4b86b1c794e81f2

SHA512
fab803701187e19644ce06afeacb278ba859a6ce3bcd5f027ac72f674577b7b71ae8a4210c3fa43918aa889fd1ae39ccfb86264fd25d94e047f12eae13883952

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Filesize
666B

MD5
0ab94f4c59428d6706355339168b305b

SHA1
d6444fb27bb04c14052c74effd9ed9b5e621ea94

SHA256
9e9b9317f88a6687fc130b64190656bcf9d762b05d2be3e7c1d98d57f22dace6

SHA512
ac0f81edd9ba561065666d8cd77d1443f094a2c396e6c1163cc464b806a8af4a6e1dce8455d62a5565ff93a5b61fdb3a52714eb0ee4e0a8051da4b1a76ac7e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\BDRansomDecryptor\BitdefenderLog.txt

Filesize
1KB

MD5
92027c312a6139e77435842ed934e890

SHA1
73dbb68c6ef873223bd9df8132923f8a87afc716

SHA256
c79c4cbc75f17175356f19033e6b6fdc78af00f03fca8fdd67cd6b9541a66147

SHA512
516a5428988365dcf5ba6d272e96cfac3ee03acc1d5adbce07f0baf6ec7846055656e356fb74000db2173b8ec47a39f4ec21cb338389504719a4ec8039db813a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\DarkSideDecryptLib.dll

Filesize
2.0MB

MD5
601e4a912e9ba1e981948c031740e97e

SHA1
2953868dafb5a02f9908c94227867fde307f18ef

SHA256
9af591339601d1805e3f527a3840950b9d3653f4d651e99d08f7a61dbb5da78d

SHA512
f7aebcdcf3a69dcbda5daea54b80a649261b3a18d5c65932f8bd241d3ca31c33858895aa8f675e08e25c02f8ae9bddd79dd442c35655d9a6f500006f8a5046f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\RemovalToolGUI.exe

Filesize
1.2MB

MD5
70375699fe4024ffe8413eefa6f3144b

SHA1
a8d51adf1e62d0465df307d064ecb26acc67258f

SHA256
6eb8a7b89716a71975ac07becd7785108b3f2e8ba37a9bc28859c2835bddd0df

SHA512
8f3074ba1a1aba0754ef9fd05ef432bd5255e39db508ca2dade9a932751c4e11fd87b82e8953fd7d6f279656a0cb30046ba93e8a35057114b9c031f272e5b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDRansomDecryptor\sciter.dll

Filesize
7.8MB

MD5
ea713bc436d655ac7afdb0b0b763999f

SHA1
a4d63919437372650c0f355ba42304db07a6bca1

SHA256
a18e82f09c16fad1c17a03a53d21d5b5857c29e99f0dfc6f9060499377b7c25a

SHA512
35da588b84ea6e1d912d68e0c9e378b13786dd2b52bc47f7e3d826f8899da2e4479997a582f4e0fbdfe72823d862b922345d8427979778a24616c9472fb4d7b3

Download Submit
C:\b98faef33da7484fae2c\README.1e2d78e0.TXT

Filesize
3KB

MD5
164aa420be8e0c2bcdef574355edaa32

SHA1
4336eaafedfc18a27cdf42bffad63b5a54ea8231

SHA256
b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d

SHA512
fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d

Download Submit
memory/1040-252-0x00007FFCE5820000-0x00007FFCE5A2E000-memory.dmp

Filesize
2.1MB

Download
memory/5004-9-0x00007FFCE6610000-0x00007FFCE681E000-memory.dmp

Filesize
2.1MB

Download