Malware Analysis Report

2025-05-05 20:48

Sample ID 250420-sf97zaywbv
Target 2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit
SHA256 f4b0e3079b13b0c117d358461348e4b15986b4b9173504605bc3035c53527df1
Tags
lockbit defense_evasion discovery ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4b0e3079b13b0c117d358461348e4b15986b4b9173504605bc3035c53527df1

Threat Level: Known bad

The file 2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit was found to be: Known bad.

Malicious Activity Summary

lockbit defense_evasion discovery ransomware spyware stealer

Lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (572) files with added filename extension

Renames multiple (680) files with added filename extension

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Checks computer location settings

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-20 15:05

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-20 15:05

Reported

2025-04-20 15:07

Platform

win10v2004-20250410-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe"

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Renames multiple (680) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\ProgramData\A912.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A912.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A912.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2645532622-3298555945-705856666-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2645532622-3298555945-705856666-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP09e_d56v19i_aktc9v412vuu.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPnknmyryghv5b0k97dyvjtwvvc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPcq3vnqw00iry1k3krk9th31jc.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\V86sTiCVN.bmp" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\V86sTiCVN.bmp" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\A912.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.V86sTiCVN\ = "V86sTiCVN" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN\DefaultIcon\ = "C:\\ProgramData\\V86sTiCVN.ico" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.V86sTiCVN C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5164 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 5164 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 4716 wrote to memory of 4400 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4716 wrote to memory of 4400 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 5164 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\A912.tmp
PID 5164 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\A912.tmp
PID 5164 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\A912.tmp
PID 5164 wrote to memory of 5820 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\A912.tmp
PID 5820 wrote to memory of 4492 N/A C:\ProgramData\A912.tmp C:\Windows\SysWOW64\cmd.exe
PID 5820 wrote to memory of 4492 N/A C:\ProgramData\A912.tmp C:\Windows\SysWOW64\cmd.exe
PID 5820 wrote to memory of 4492 N/A C:\ProgramData\A912.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{E8D0F6AF-BFBA-4BD5-A07C-C60D07AA459D}.xps" 133896351281140000

C:\ProgramData\A912.tmp

"C:\ProgramData\A912.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A912.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp

Files

memory/5164-0-0x0000000000980000-0x0000000000990000-memory.dmp

memory/5164-1-0x0000000000980000-0x0000000000990000-memory.dmp

memory/5164-2-0x0000000000980000-0x0000000000990000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2645532622-3298555945-705856666-1000\desktop.ini

MD5 0f25ac77700bf2379d14b80a2417c8c5
SHA1 a6f41ee131cb0183875d54a4851607be663f20a0
SHA256 9ab3ff3e106734a95c4d6fb9ec3266ec56359b0dc565f769302bcebe421e5c24
SHA512 cb68c4da0d826d18d3349378bd6ead6697e3ff154495b57444ebe79f162fc27e0ae5e11c90e84544ccd5bd9a9316201116afafd3f2024129dcce10a2f827ed73

C:\V86sTiCVN.README.txt

MD5 c5703cbd0f4f4a22e8c77d851b7f24c2
SHA1 9080cf1ce21662518b7c1ca253f4943007fa9160
SHA256 bf5943ad476bb6d89a02baec9a8727e96a1ba3c5677f9234c9e2f735f0c1dede
SHA512 782a9c49c2beffdc64e03eedb12c140bcf263cc0d3631049d1af3f940e9ceea414abc0c21a7da1d026602cc9901f717f1a98953a957b51e47b470fa7ee44249e

F:\$RECYCLE.BIN\S-1-5-21-2645532622-3298555945-705856666-1000\DDDDDDDDDDD

MD5 d96ecf8ad855bfecb990c517338f9204
SHA1 dde80ec8c715789d7d0c51f58e89bbefe9d82975
SHA256 fbaf164a74120c28d5127ec2f17e8b20594fe6eaa4091869d1a2c84263ceb1d4
SHA512 57843279676062d5a01d2c183db3be6ae1503ab727ab2ae36054883239dd0d9a28e3cb622239d0d14052f3ce5757dc860576ada32022b069d3a24a5cd6bf8dfe

memory/5164-3491-0x0000000000980000-0x0000000000990000-memory.dmp

memory/5164-3490-0x0000000000980000-0x0000000000990000-memory.dmp

memory/5164-3489-0x0000000000980000-0x0000000000990000-memory.dmp

memory/4400-3506-0x00007FFF1E4F0000-0x00007FFF1E500000-memory.dmp

C:\ProgramData\A912.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4400-3511-0x00007FFF1E4F0000-0x00007FFF1E500000-memory.dmp

memory/4400-3510-0x00007FFF1E4F0000-0x00007FFF1E500000-memory.dmp

memory/4400-3508-0x00007FFF1E4F0000-0x00007FFF1E500000-memory.dmp

memory/4400-3507-0x00007FFF1E4F0000-0x00007FFF1E500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

MD5 48e3645aac584d0a62dc2a968a34a287
SHA1 0be514a1c48c9a57acb231a60ea9f170f11d4032
SHA256 b1f734c7965509d356116331bc73d21f34fcdf47bdcd9bcb0d396ccd2338ae04
SHA512 9ce1e57bb8ecb381329081d1bfea0dd807cf474ef7a609cf589a7868e750a3c684662bcb605b1abff26aebff3700283a5c36973e7920e6ea5e5c5c313f41302d

memory/4400-3540-0x00007FFF1BC30000-0x00007FFF1BC40000-memory.dmp

memory/4400-3541-0x00007FFF1BC30000-0x00007FFF1BC40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-20 15:05

Reported

2025-04-20 15:07

Platform

win11-20250410-en

Max time kernel

147s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe"

Signatures

Lockbit

ransomware lockbit

Lockbit family

lockbit

Renames multiple (572) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\85CB.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\85CB.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-599783296-1627459723-2423478968-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-599783296-1627459723-2423478968-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPdabsfas8q7mig03wshlk811y.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPinou02_muivi6x40nwtpb9a9.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPk2qe99mbj6fe9ts34d8zflqpd.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\V86sTiCVN.bmp" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\V86sTiCVN.bmp" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\85CB.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN\DefaultIcon\ = "C:\\ProgramData\\V86sTiCVN.ico" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.V86sTiCVN C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.V86sTiCVN\ = "V86sTiCVN" C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\V86sTiCVN C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 4480 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\Windows\splwow64.exe
PID 5348 wrote to memory of 2796 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 5348 wrote to memory of 2796 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4480 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\85CB.tmp
PID 4480 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\85CB.tmp
PID 4480 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\85CB.tmp
PID 4480 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe C:\ProgramData\85CB.tmp
PID 3704 wrote to memory of 2388 N/A C:\ProgramData\85CB.tmp C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 2388 N/A C:\ProgramData\85CB.tmp C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 2388 N/A C:\ProgramData\85CB.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe

"C:\Users\Admin\AppData\Local\Temp\2025-04-20_971b1c13e0efcb5b4ff57b5c67dff89f_darkside_elex_lockbit.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{629350B6-8273-4BF8-A1CE-EB933E5E565B}.xps" 133896351280740000

C:\ProgramData\85CB.tmp

"C:\ProgramData\85CB.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\85CB.tmp >> NUL

Network

Country Destination Domain Proto
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
NL 173.194.69.94:80 c.pki.goog tcp

Files

memory/4480-2-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4480-1-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4480-0-0x0000000002F40000-0x0000000002F50000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-599783296-1627459723-2423478968-1000\UUUUUUUUUUU

MD5 69d87b919b9fe7fd3b62e5306e5a55c3
SHA1 d5653c793996812456084a5997d0083cbbe5548a
SHA256 93139eab1d889a98f3c6ccd6c3a10a405daea804b14a91c5ac2aef18e2b44c02
SHA512 dbf3e1dd9fe66cf8a46da447fa4b0a98cfaf11b82b22f163900012f3e1a279072b765b72eaac73b0fe5d11428a5f328801ec482737a11e5c7a45c30413c3f70d

F:\$RECYCLE.BIN\S-1-5-21-599783296-1627459723-2423478968-1000\DDDDDDDDDDD

MD5 5e7f1aeecdbe0834554de5f2ee71452f
SHA1 dd1d96542cfe50981fbd97bcbec65f94148e756a
SHA256 ad5170ce6813806e1b6068e06a8881da34ee85033b16c0fee4bed9c9a579ec6f
SHA512 3a8034bf3ec9b36180d0d0dfdff01c680f7bce66e26e4935319094682016b0c38c0725cd370e22843c9ec2d5e5a312414db40945553efe153e6d26607e1485ee

C:\V86sTiCVN.README.txt

MD5 dab6b5b789e70f8b4d5ddc174c805ef6
SHA1 9bd3a2df3473c805a98a9bf68da1722191f7ea77
SHA256 05ccec2895595faa16ab34ddc191704ae37a7614a2b1c5ff442e3c3b20aa7bf8
SHA512 bb0d485cc7767b49f3957d0bfdee3ce778c59db3be19d5e47b7dc7d2a64ed3acb98a839a85dbda9f55773f874a11404218da032ddcd676cebbd195b336152993

memory/4480-3543-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4480-3544-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4480-3545-0x0000000002F40000-0x0000000002F50000-memory.dmp

C:\ProgramData\85CB.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2796-3561-0x00007FF875590000-0x00007FF8755A0000-memory.dmp

memory/2796-3563-0x00007FF875590000-0x00007FF8755A0000-memory.dmp

memory/2796-3564-0x00007FF875590000-0x00007FF8755A0000-memory.dmp

memory/2796-3565-0x00007FF875590000-0x00007FF8755A0000-memory.dmp

memory/2796-3562-0x00007FF875590000-0x00007FF8755A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

MD5 fb0bed89c661b7f2b087edef676b1d2a
SHA1 014a6e8ac12a39e3041c2babe227f3b8b75e92fa
SHA256 a59ed90b3a6c175d19a41ff85fe86b02b2d052be27714ef6c5d39b32ced0d2a4
SHA512 c1124a7ee3bf9bdb0354bffc88afcb1e6e545d16b81532aaa16f92c4f76d712abf5887cf177a918927e3c88a0477e6a1cc6d678ae2935e426643477d9eb9959e

memory/2796-3594-0x00007FF872F10000-0x00007FF872F20000-memory.dmp

memory/2796-3595-0x00007FF872F10000-0x00007FF872F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{DE0E5E34-2E52-48A0-8ECA-26166FD420BB}

MD5 84da384d4283a3b7180c3159ce80a318
SHA1 f6e71e413ec11117c7458b1f83d422f4157fab82
SHA256 32a58d89b00f8a59da69e17fedd290c15f1b393c2053c101809b180baa84401d
SHA512 ffcc95c64149d8cb7477208e70b5a0ce31e53a6c9e7af4d2678bf296a6bdf67a6b56e4c5494ee81f42118b34dced8cc292f7f975c9df6a1ba7ba0bbe231c9347

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

MD5 4724194142c03315b9a15fb1e223cfb6
SHA1 e2fa59c6988a75b6092c79ae77c5b18fe377a39c
SHA256 11dda159db859d7f687b554db53e9c33fe9873c8071c603e54b723e65cda63ce
SHA512 d19173119d0f26f8c7e1a64fe067158353d76624150e163ca8fe1404697ac59c3de722bdf6c5cd3d14eab7e8422cec05535d56f80b2a2a414d486b670e3c85d2