Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2023, 02:41
Behavioral task
behavioral1
Sample
2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe
-
Size
159KB
-
MD5
e71ad94e2d5bd95bcaf85fc17acec28f
-
SHA1
fd5469f26e71f862fb6dd11efd5cd2a7ef90473f
-
SHA256
54ac7ac6db6fcec5234454430513d1d2787ee8a48aa60fbf95c1af27534fdb4a
-
SHA512
0d68d07852eca44e47c14efd651aa04479dbba22e97379220aae8f406cd118b89cb72147d1176760118ca23e517c082b1974b553196e62b697b28cb4eb351e3f
-
SSDEEP
3072:SuJ9OlKolUa1U197bzhVsmftsmXhBSTE6pSLR7Z:Sufj0zi1dNVsmftJvS46+FZ
Malware Config
Extracted
C:\o3LDjrpOa.README.txt
lockbit
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
https://twitter.com/hashtag/lockbit?f=live
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion
http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion
https://gdpr.eu/what-is-gdpr/
https://gdpr-info.eu/
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\PushComplete.tiff 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Executes dropped EXE 1 IoCs
pid Process 2376 4C1D.tmp -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPftkiyl2hf3ikzwkpoohjkznfc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPa1f97bq030ehz558nspo31v2d.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP822ly3ql9wi05p7c0r0ojycg.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\o3LDjrpOa.bmp" 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\WallpaperStyle = "10" 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.o3LDjrpOa\ = "o3LDjrpOa" 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\o3LDjrpOa\DefaultIcon\ = "C:\\ProgramData\\o3LDjrpOa.ico" 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 3536 ONENOTE.EXE 3536 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp 2376 4C1D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeDebugPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: 36 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeImpersonatePrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeIncBasePriorityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeIncreaseQuotaPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: 33 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeManageVolumePrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeProfSingleProcessPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeRestorePrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSystemProfilePrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeTakeOwnershipPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeShutdownPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeDebugPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4672 vssvc.exe Token: SeRestorePrivilege 4672 vssvc.exe Token: SeAuditPrivilege 4672 vssvc.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeSecurityPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe Token: SeBackupPrivilege 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE 3536 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4116 wrote to memory of 376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 93 PID 4116 wrote to memory of 376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 93 PID 3316 wrote to memory of 3536 3316 printfilterpipelinesvc.exe 96 PID 3316 wrote to memory of 3536 3316 printfilterpipelinesvc.exe 96 PID 4116 wrote to memory of 2376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 97 PID 4116 wrote to memory of 2376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 97 PID 4116 wrote to memory of 2376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 97 PID 4116 wrote to memory of 2376 4116 2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2023-05-30_e71ad94e2d5bd95bcaf85fc17acec28f_darkside.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:376
-
-
C:\ProgramData\4C1D.tmp"C:\ProgramData\4C1D.tmp"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
PID:2376
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2424
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{247B8BE2-FD8E-42C9-B9C6-F5C91AEB7451}.xps" 1333006810654700002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3536
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
129B
MD53834c3ae1387f7484b0a4a51f1aaa35a
SHA17492baa62ce9aa854146148185b23c69fc122dfe
SHA25616e99f69a89073a9c6d919304d4708e011380f9fc1b4f8be360d565ccc47afc9
SHA5120f2f69ac1fddd9e4c1d9cad4586235753b5cad223b8fe2c3433d2b6963f7fd156262f64579b687a4747190c8bb3b83674c4de6d1260c68fb773aa5dc8ab22676
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
159KB
MD5da757c30d9de5a1c5a005c83da64a3e6
SHA1cc69f58a164c318e0944edae12f5583fbf6a6409
SHA25603163ea9e268bd660fe53a22dd7f20fe4275921edabb4f576f5e2197a2d628ea
SHA5126653120a2663c0203eb9a775d91de46e4a3effb306f9d45e4af2eb63a46cb908d6ca4f97cc483d3c7ec35cd55c5377a3941d3f978649a35b5cd39b2b7da7009c
-
Filesize
4KB
MD5e00070832bd6ba254d37efe2fa942019
SHA1d05a2437ed30cb986fd81e8d392871bf7fca97db
SHA256c33b0daeb164858d640d1b5b280138d5cdb2b3ae996a255db868b60e8d096102
SHA51287b239883631ab67d91e233e6779ba38a13124e1c74bb2a6108e0b954eef9e6bfad969d5df7f3e90e206fd4e1b2130ec710621216956017864e68a4815188b42
-
Filesize
4KB
MD5efe13471df9daedf1ba9044854f6609a
SHA1441aa6676ca8b21b602784155d366505b54c213f
SHA256edd9383d0a2aaecda4edb74d3bf984ff893b730736ccdec797ab5cd50197c7d4
SHA512f8b69eac75b62a79bc7c28a3e693b56d9a4f6d060ddcbcf088bece9b0e7ce14f6e962b64d5ae4364cf000b356f2b0aec4ff34044def0382427bf364823ffc516
-
Filesize
10KB
MD50ed320811b631a2836da2fb56e874d42
SHA188346e3af64361c0960d8fcc561cdf243e4050b3
SHA256c2884b70c6bcd1957510032248207a10cd54526de3887a1c7afae1ea5261150d
SHA51242c579c75dc64726a5ef9b11c013296aa49d3b4b122c5a79c5660e7eadea187966643fb381cfe8a98b4b8a2ece00a8d29ac43295c4ab7c73476418a726f926d0