Resubmissions
06/06/2025, 14:39
250606-r1hssabj4x 1006/06/2025, 05:05
250606-fqv5kswxaw 1006/06/2025, 04:54
250606-fjmvmawwe1 1005/06/2025, 17:23
250605-vyd9csfj4z 1005/06/2025, 15:18
250605-spt74sen5t 1005/06/2025, 15:06
250605-sg43cazmv9 1005/06/2025, 15:02
250605-seepnsyyet 1002/06/2025, 10:32
250602-mkxjsayzbv 10Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2025, 17:23
Behavioral task
behavioral1
Sample
2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
-
Size
148KB
-
MD5
cb6845218d57d663976bf1fa2a4d6ddb
-
SHA1
0635c1f6cece23efe1df63de9cb72715c123cbaa
-
SHA256
7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281
-
SHA512
f0eff1a4c9a338ef2dece334d19fc9ef6ab421722e901ff0200de74e6df55594bca3abc43cebd0753fee47f71143e45097e74472b6e2b8b17e2bb28525ff5ea0
-
SSDEEP
3072:46glyuxE4GsUPnliByocWepVfB4vN2H7/yXHKR9W4cn:46gDBGpvEByocWe3fB2NO7gP4
Malware Config
Extracted
C:\g0Bwcr1Ri.README.txt
https://qtox.github.io/
Signatures
-
Renames multiple (738) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\International\Geo\Nation ACFA.tmp -
Deletes itself 1 IoCs
pid Process 4672 ACFA.tmp -
Executes dropped EXE 1 IoCs
pid Process 4672 ACFA.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPozdkz69isx821_38k_08skalc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPprj4qt5agjm0wactxb1kwy9xb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP954c5odc0o_v65q6ktgmi_b5c.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\g0Bwcr1Ri.bmp" 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4672 ACFA.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ACFA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "10" 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3c8772a7a7bbdb01 iexplore.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DB140ABE-4231-11F0-A6D2-DE09157AC6BA} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{E156655F-32C8-46A2-97A6-720AC4778470}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\g0Bwcr1Ri\DefaultIcon\ = "C:\\ProgramData\\g0Bwcr1Ri.ico" 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.g0Bwcr1Ri\ = "g0Bwcr1Ri" 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6136 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4560 ONENOTE.EXE 4560 ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6772 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 4276 msedge.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp 4672 ACFA.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeDebugPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: 36 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeImpersonatePrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeIncBasePriorityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeIncreaseQuotaPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: 33 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeManageVolumePrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeProfSingleProcessPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeRestorePrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSystemProfilePrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeTakeOwnershipPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeShutdownPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeDebugPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeBackupPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe Token: SeSecurityPrivilege 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 428 iexplore.exe 428 iexplore.exe 428 iexplore.exe 428 iexplore.exe 428 iexplore.exe 428 iexplore.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe 5360 taskmgr.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 6772 OpenWith.exe 428 iexplore.exe 428 iexplore.exe 828 IEXPLORE.EXE 828 IEXPLORE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 4560 ONENOTE.EXE 428 iexplore.exe 428 iexplore.exe 4192 IEXPLORE.EXE 4192 IEXPLORE.EXE 428 iexplore.exe 428 iexplore.exe 4712 IEXPLORE.EXE 4712 IEXPLORE.EXE 4560 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 6968 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 95 PID 4876 wrote to memory of 6968 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 95 PID 6772 wrote to memory of 428 6772 OpenWith.exe 101 PID 6772 wrote to memory of 428 6772 OpenWith.exe 101 PID 428 wrote to memory of 828 428 iexplore.exe 104 PID 428 wrote to memory of 828 428 iexplore.exe 104 PID 428 wrote to memory of 828 428 iexplore.exe 104 PID 2180 wrote to memory of 4560 2180 printfilterpipelinesvc.exe 105 PID 2180 wrote to memory of 4560 2180 printfilterpipelinesvc.exe 105 PID 4876 wrote to memory of 4672 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 106 PID 4876 wrote to memory of 4672 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 106 PID 4876 wrote to memory of 4672 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 106 PID 4876 wrote to memory of 4672 4876 2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe 106 PID 4672 wrote to memory of 2112 4672 ACFA.tmp 107 PID 4672 wrote to memory of 2112 4672 ACFA.tmp 107 PID 4672 wrote to memory of 2112 4672 ACFA.tmp 107 PID 428 wrote to memory of 5416 428 iexplore.exe 111 PID 428 wrote to memory of 5416 428 iexplore.exe 111 PID 428 wrote to memory of 4192 428 iexplore.exe 112 PID 428 wrote to memory of 4192 428 iexplore.exe 112 PID 428 wrote to memory of 4192 428 iexplore.exe 112 PID 428 wrote to memory of 5156 428 iexplore.exe 113 PID 428 wrote to memory of 5156 428 iexplore.exe 113 PID 428 wrote to memory of 4712 428 iexplore.exe 114 PID 428 wrote to memory of 4712 428 iexplore.exe 114 PID 428 wrote to memory of 4712 428 iexplore.exe 114 PID 2724 wrote to memory of 4276 2724 msedge.exe 129 PID 2724 wrote to memory of 4276 2724 msedge.exe 129 PID 4276 wrote to memory of 5116 4276 msedge.exe 130 PID 4276 wrote to memory of 5116 4276 msedge.exe 130 PID 4276 wrote to memory of 4356 4276 msedge.exe 131 PID 4276 wrote to memory of 4356 4276 msedge.exe 131 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 PID 4276 wrote to memory of 1356 4276 msedge.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:6968
-
-
C:\ProgramData\ACFA.tmp"C:\ProgramData\ACFA.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ACFA.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6772 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri3⤵
- Modifies Internet Explorer settings
PID:5416
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:82948 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri3⤵
- Modifies Internet Explorer settings
PID:5156
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:17422 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4712
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:7028
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F40B738D-F6A2-4CBF-A318-E03D7902DC98}.xps" 1339361782995200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\g0Bwcr1Ri.README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6136
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte38b3576h3ebeh481dh82dfh86b80ecb88c21⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte38b3576h3ebeh481dh82dfh86b80ecb88c2 --edge-skip-compat-layer-relaunch2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbe807f208,0x7ffbe807f214,0x7ffbe807f2203⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=276 /prefetch:33⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2144,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2628,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:83⤵PID:7020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3248,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=3024 /prefetch:23⤵PID:4296
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3832
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f8008199aa1693800d7ea2de0130a238
SHA1da272b7214912d9e70c80799835f97014c213ea9
SHA2566a4e81f196ab01b055fbbcf92fd32c9a4fd128cb1379c7e08a3056420e5b41f0
SHA512b4591a893c99fc940ecd62b197b1d7c8b976242802da12261d9343e68c0dbb10b1481131f3933063815636aa34508b73e3220f948df503956032dfca31c4feb3
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
280B
MD548a81770d5aeaecbd866bb88e8388a08
SHA1570fe9d7317f684b1cc924a6658c390cd59f5a08
SHA2568ee5f3f288720cf7cc646b3de310d5223eddea57cb110e46b2ada68f5192d49e
SHA512e0512c4856c5ff162be64a3069000bd939754aa1b5f52ce68c361f02d168a6734f9be511c0185efdc94d9550fd542bebc8b3a94d3eed58743602ad5dd8d6be8a
-
Filesize
280B
MD5c793e3a252a3212c090bb7c5c5fe903f
SHA1061d0ca52594c6f85a89f8cabc1cad95058f7aad
SHA2567dbcf8030a90ebb299d8c8b4cfd972aa64f5671e9482142399b860a4c33579ec
SHA512cc559d3ea0fe36fe7415743366b932c8c08881e59412902a696a921bfd0ddc27b193ce9755de28c0fbf747a5036fed2f159a05643d3939f38739718f8306f3f8
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD586c99b8afccfc483fd87ecc31bab8b3c
SHA1937f99ca75ef8e8d0adb82f3f27b3ba2e445c0d2
SHA256df98671c3a61911033018d848f953c8ad038acb6739e6e31af6ba1c6bd2c9a50
SHA512a479b7f36429ce813d2353dc57e0987686b7602a6035308e65966ec9aa15d9e798167d1cc2f378b66e4066bd8b8686ebe19a793f0afbd07c6534923393851485
-
Filesize
26KB
MD574f514ebebb3081b0fc80b05f500cfc2
SHA121dbefc42d93be3325db32d318ddd87ef1eaf7d7
SHA2562bd1133d98999753efc4acb0ae908521700180ab70dd777f78c554335837c960
SHA5121eefff53706fc3db8e512aaf4eb38e5d4e70045256edf803ea6a6d0f5a0676473498b3902f73418a11b143c35433d745c88efc4a8ae31e2d118b3a6f9539af57
-
Filesize
6KB
MD5ea4a4ab2b337ebda3973411243adb1f9
SHA13e2add2988940c1c4b0638603d76134bd7ba1191
SHA256bffd36ebd945b21bb585052b1769ac98d19544fb2d8da88317bda87921d9dcea
SHA5124a209289746c373d277f207975e703009a46d7245ee4e5a186fda92655ff72fcbd28af72ac892c8fe943a17b0a1335eea682123c02cdccc109c23eb465bbc8ff
-
Filesize
8KB
MD53d59a7a7dd336d17c08049ac5d18bf91
SHA1959f90559156c0749031f960f4123f6d7974b10b
SHA2562d7622a710e4b38c9ad035c0e03e1457fd7976e369909f114b104ada295240e3
SHA512876102b7c370519c1a7b243fa910771702d84192009294021eb1291210faaeff4c7dc61f894657e80ab837299e9e4378186ababa1795f2f2566c71a0d69de547
-
Filesize
8KB
MD509b5270d49c82f975d41f0e3977c8a80
SHA19cd6d5dbffbeaf9bcce3f430198bf8e842a559e6
SHA256fe0580bfc563f280798c2b444687833205e1380911c544dabcba9915ccfe0bb9
SHA51248d14571588464d484795130a8ceab7fafa1a93d8564604e534eab4fa7e7a9761d1bc99d95914f6235018e35260e8275b880f9ef5bd6c123053ec841a40cca62
-
Filesize
7KB
MD5edc363d5b8852cccc3a76dd7b22720ec
SHA15de31814110949f1571f3237b01e9878442f9013
SHA25637da76d7dc1757df79a99bd9e425534b404b5b81574d73d1a184a24ce0e03105
SHA512ce24b0c949c073a9388dcfd478ec5018e4851d8752c4610a24fa3f87076da654df411f966180b96ea4d8f4ea9aa1ea2e35a241c8ebc4214971dbb4d1596d0fe4
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize148KB
MD5c93e74b58eeedeac87069a71a82e3e35
SHA1917dcb5269f06846c2498fdbe4cecc5381c8c518
SHA256f68fc128d1f6edc32b7f197d4c6f12612b61bdd577e925f4144ca31e079c06bd
SHA512e27923def864d30d1defd6c4ec964614cacb5fad1408ddf647156d881d0b97e55e6b0d8f12fbeb440681d056166eb601856dba44ba0c1ce9447bee105cb47693
-
Filesize
4KB
MD52e0269261ab561a714795dbbc5087d34
SHA14ca3ca5f18262f1a9d23f632e85dfc769795ee72
SHA2569c205706b40031955dbb563a750513b147d44e41075e31e6e244adfcef0a056b
SHA5121150e20a3a73696236862ffacd5886f709514aaee7343f0d50a57aab9f05dfc33a4607d432d1409f23220e2bc80fb3653e955500eee8ff183b8f41bc91872d69
-
Filesize
280KB
MD5571be6b0cc3f9925b5406d745c00aafd
SHA18cbdb897745da5b63e5df9c102f85c9aa558c4ae
SHA256b470af2bc316cb307a23e508f16e1b7d32dfc01359d447ba107ce8a6e8a786a4
SHA51206d7c7d742dde942c9a1f0e8b31714fb4631d70116245105705c4ee581b17e9d34304bdee0e8bf89bb28832a5c02255d35685e87aa9d8278ab098488093a4f51
-
Filesize
4KB
MD565b2ae940c01f1c146c17ccd0897bcab
SHA1cbc31b705b3ccd55d8e621862b672c51913dc420
SHA256571296047d80fad967f339c6d39e7a10286229273673b6f5dd4b2648b7cc5de0
SHA512a5fd82cda46aa66cc641e38a358dbaeb20c8b389a880c7785540a31a36ac9b1e2c03ee2968f4e5b25240d820dea9b7a44e74bd9414e2d3b6fbdf6558a69ecede
-
Filesize
2KB
MD533c2afb337470ad896e1d8939697f638
SHA1284d35006b8b354893937379614dcdc0395aac9a
SHA25677772f2d06ef5c429daa23ed978184452dd49a3f95b6ca0ab6a9b1800ea39218
SHA51281a2d0a0a7968edbcd99097089ebb70b967dff1fa63f10efe83d5103a8537b4d79e429bd12c0bb73f54b760813e3567205f15a515665d93ebb1e2111ff540c6f
-
Filesize
129B
MD557dd99d9f712f6fdf9f12c3894de7f58
SHA18e8562ea771497e228939e1d0d8e3bfd567cb52b
SHA256eec4599ecad546cde9c781f5a5bcc802ec664b610d4e1d03732d26f4e33263c5
SHA51261059cf046eb6695f65f8894b3316f6f118c55c8904f1600fa3557ede248abb153e4163da076538fa65e3208882f154cffa20a8d26b95a30de5ef25a36f14c9e