063fcedd3089e3cea8a7e07665ae033ba765b51a6dc1e7f54dde66a79c67e1e7

Analysis

max time kernel
128s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Size

147KB
MD5

5110c4c4b4836d926be20f95c973ab29
SHA1

2ab4e2829e05e7217bbb0039e68ff1d80aa661be
SHA256

063fcedd3089e3cea8a7e07665ae033ba765b51a6dc1e7f54dde66a79c67e1e7
SHA512

c35e56627f00fb8571a0ee756da416115680c5712fd370bbfeb5193d04ddbac57b8cbcff0659239b643f56bfc77831ed676c3d9257ee097a1d5eb5e210e08d69
SSDEEP

3072:46glyuxE4GsUPnliByocWepeVyrPCTsAF/Gg:46gDBGpvEByocWebrK

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\fxkJts2wg.README.txt

Ransom Note

----------- [ Welcome to buhtiRansom ] -------------> What happend? ---------------------------------------------- Your files are encrypted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your files. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. How to get access? ---------------------------------------------- Using a browser: 1) Open website: https://satoshidisk.com/pay/CIGsph 2) Enter valid email to receive download link after payment. 3) Pay amount to Bitcoin address. 4) Receive email link to the download page. 5) Decrypt instruction included. !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. It WILL NOT be able to RESTORE. !!! DANGER !!!

URLs

https://satoshidisk.com/pay/CIGsph

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UpdateEdit.tiff	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	5C3A.tmp

Executes dropped EXE 1 IoCs

pid	Process
428	5C3A.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PP0yat_c6fvohxciprlbivk3y1b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPny_sc37ezff9tq9mp06lrv63c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPf_5e9jdzemqq2vocwb0n9rl2c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
428	5C3A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
1524	ONENOTE.EXE
1524	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp
428	5C3A.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeDebugPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: 36	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeImpersonatePrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeIncBasePriorityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeIncreaseQuotaPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: 33	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeManageVolumePrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeProfSingleProcessPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeRestorePrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSystemProfilePrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeTakeOwnershipPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeShutdownPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeDebugPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	2024	vssvc.exe
Token: SeRestorePrivilege	2024	vssvc.exe
Token: SeAuditPrivilege	2024	vssvc.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeSecurityPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
Token: SeBackupPrivilege	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE
1524	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3024	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	93
PID 1736 wrote to memory of 3024	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	93
PID 1736 wrote to memory of 428	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	97
PID 1736 wrote to memory of 428	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	97
PID 1736 wrote to memory of 428	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	97
PID 1736 wrote to memory of 428	1736	2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe	97
PID 3808 wrote to memory of 1524	3808	printfilterpipelinesvc.exe	96
PID 3808 wrote to memory of 1524	3808	printfilterpipelinesvc.exe	96
PID 428 wrote to memory of 3212	428	5C3A.tmp	98
PID 428 wrote to memory of 3212	428	5C3A.tmp	98
PID 428 wrote to memory of 3212	428	5C3A.tmp	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-08_5110c4c4b4836d926be20f95c973ab29_darkside.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3024
- C:\ProgramData\5C3A.tmp
  "C:\ProgramData\5C3A.tmp"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5C3A.tmp >> NUL
    3⤵
    PID:3212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3680

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{8B8639A4-7B7E-40B4-B59D-840DF3763D20}.xps" 133280821502150000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\AAAAAAAAAAA

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\BBBBBBBBBBB

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\CCCCCCCCCCC

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\DDDDDDDDDDD

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\EEEEEEEEEEE

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\FFFFFFFFFFF

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\GGGGGGGGGGG

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\HHHHHHHHHHH

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\IIIIIIIIIII

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\JJJJJJJJJJJ

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\KKKKKKKKKKK

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\LLLLLLLLLLL

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\MMMMMMMMMMM

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\NNNNNNNNNNN

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\OOOOOOOOOOO

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\PPPPPPPPPPP

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\QQQQQQQQQQQ

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\RRRRRRRRRRR

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\SSSSSSSSSSS

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\TTTTTTTTTTT

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\UUUUUUUUUUU

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\VVVVVVVVVVV

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\WWWWWWWWWWW

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\XXXXXXXXXXX

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\YYYYYYYYYYY

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini

Filesize
129B

MD5
8fdd70bcbb94d9ae4d7fde740955c93f

SHA1
d6b08cec51119db2bbb3d1fb4be94f271af0e19a

SHA256
8fa46f9c9c0f5d6180bebc443a99d06e9f5bd0ee8d17e5344b62154e72014fc7

SHA512
dc1c4b0e2629aa664c81f7e1f48eedb58ded4d22a8e2475b3c127a91d30ed8640675a80cf99c41d1cbaba4ebc9b9a39daabe255c7056c33447b83f6f5bb2ce22

Download Submit
C:\ProgramData\5C3A.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\5C3A.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
147KB

MD5
87dbd2a74919805c2f5695149fb1265d

SHA1
2ddea5a6a5b63b83182b55bee1ef62b3d2571ef1

SHA256
aff0bab7059e021416188694e7eeb2c863fe7fcaaedb1f671a0fda30e2e9f3b5

SHA512
d0ce02a80e2ca85c2e04a945acf922eb7ca6f764b0086a4363847350e75986aa76a43a34fa1dcc50dc85a0399dd92a2a011432fc2e2735c7f831a666e6c762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F9FF240F-FB3B-4663-B177-7C0DE3A78B67}

Filesize
4KB

MD5
6eb5de41c540131ab0a567027a0158d6

SHA1
4b2760905d66f870e0a0f707c52abf52a8b3cdab

SHA256
66dcd46a5c31ca9e256611f7171421f40b892bf582f035521df512292cd454b5

SHA512
c3a5b8c9a2aeb04678c24fb4007d4c5c1fd29dcb3e734fa1dc55dbf2723a206b7171b04879e3ab91e110ea87a08cf06ce95902944dc6905644420eb4f3975a35

Download Submit
C:\fxkJts2wg.README.txt

Filesize
1KB

MD5
a2bec7f34c005f36a31d5b40f66433de

SHA1
534631d8c22519b2a2e2d9692f6f93d08c267b2b

SHA256
d4c55e70b79b1e75a58f841e31f41eae5e655bdbe5455da108ffe651ed688d27

SHA512
ac68b91b4cbb862790ba04618d6ff33a70860847ddc57be473b36006eb7f9e35383793e9134f7d096f48f65a9428f25bc1f45fb92f58dfe29e7b9532763f798a

Download Submit
memory/1524-2855-0x00007FF985810000-0x00007FF985820000-memory.dmp

Filesize
64KB

Download
memory/1524-2857-0x00007FF985810000-0x00007FF985820000-memory.dmp

Filesize
64KB

Download
memory/1524-2856-0x00007FF985810000-0x00007FF985820000-memory.dmp

Filesize
64KB

Download
memory/1524-2858-0x00007FF985810000-0x00007FF985820000-memory.dmp

Filesize
64KB

Download
memory/1524-2859-0x00007FF985810000-0x00007FF985820000-memory.dmp

Filesize
64KB

Download
memory/1524-2860-0x00007FF983250000-0x00007FF983260000-memory.dmp

Filesize
64KB

Download
memory/1524-2861-0x00007FF983250000-0x00007FF983260000-memory.dmp

Filesize
64KB

Download
memory/1736-2787-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1736-188-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1736-187-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1736-2785-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/1736-2786-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download