Ransomware: Darkside - Question 9

Question

In terms of determining the name of the service that is installed after the ransomware was executed, there doesn't seem to be any service installation activities observed from the endpoint. Wondering if I should be focusing on a different code, slightly irrelevant towards service creation activities.

when searching for file creation for possible service names "api-ms-win-service-management-l1-1-0.dll" is also showcased to not work.

Wondering about what different area should I be looking into instead

kevinh · Answer

When parsing for the service names during execution I am also struggling to find a meaningful link as well&nbsp;Which includes parsing for the eventID itself

Forum Discussion

Ransomware: Darkside - Question 9

1 Reply

Featured Places

Help

Related Content

Ransomware: Darkside - Question 8

How to Answer a Question

How to Ask a Question

Ransomware: Annabelle Entry Point

Ransomware: Bad Rabbit - Registry key

Recent Discussions

Apache Header Tampering

Ransomware: Darkside - Question 9

Ransomware: Darkside - Question 8

AI Blue Teaming Foundations: Introduction to AI Blue Teaming (Part 2) - Q7 Impossible

Modern Encryption Issue