Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2023, 08:03
Behavioral task
behavioral1
Sample
2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
Resource
win10v2004-20230221-en
General
-
Target
2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe
-
Size
146KB
-
MD5
ac4efeb9f09e844f22a37de5d1a9c505
-
SHA1
8e099b2e1d405708c1c76b727aaba272496966c8
-
SHA256
af4c28fb1c65ebe93181b67d279733e864cafab5919a7aa7eced93fc8113df16
-
SHA512
c6262e7ac5fcaf82700f6b82c3aca0bad612a40905c572b861c6a5227d2ed6d52f7508a2c263eabf93ddd148e8f3872d39d36b8c01e13e2e76e85a5e6d89397a
-
SSDEEP
3072:M6glyuxE4GsUPnliByocWepDY0k1p8M/DJ6iHrAa:M6gDBGpvEByocWeRY0k77JzH
Malware Config
Signatures
-
Renames multiple (615) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DisableReset.raw => C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File opened for modification C:\Users\Admin\Pictures\DisableReset.raw.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File renamed C:\Users\Admin\Pictures\ProtectCopy.tif => C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File opened for modification C:\Users\Admin\Pictures\ProtectCopy.tif.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File renamed C:\Users\Admin\Pictures\RestoreRestart.crw => C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File opened for modification C:\Users\Admin\Pictures\RestoreRestart.crw.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File renamed C:\Users\Admin\Pictures\ConvertFromSync.tif => C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromSync.tif.9y643jKEQ 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 4CF8.tmp -
Executes dropped EXE 1 IoCs
pid Process 4140 4CF8.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP5wi3v5ijd91z8ysluo0y9nr.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPn24v2bzbti_1v5nnxmjcm2g7c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPbsp6xev3vti70wv_d263m8kdc.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 4140 4CF8.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 4648 ONENOTE.EXE 4648 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp 4140 4CF8.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeDebugPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: 36 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeImpersonatePrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeIncBasePriorityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeIncreaseQuotaPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: 33 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeManageVolumePrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeProfSingleProcessPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeRestorePrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSystemProfilePrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeTakeOwnershipPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeShutdownPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeDebugPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 4940 vssvc.exe Token: SeRestorePrivilege 4940 vssvc.exe Token: SeAuditPrivilege 4940 vssvc.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeSecurityPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe Token: SeBackupPrivilege 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE 4648 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1216 wrote to memory of 1532 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 95 PID 1216 wrote to memory of 1532 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 95 PID 1216 wrote to memory of 4140 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 99 PID 1216 wrote to memory of 4140 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 99 PID 1216 wrote to memory of 4140 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 99 PID 1216 wrote to memory of 4140 1216 2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe 99 PID 4760 wrote to memory of 4648 4760 printfilterpipelinesvc.exe 98 PID 4760 wrote to memory of 4648 4760 printfilterpipelinesvc.exe 98 PID 4140 wrote to memory of 2760 4140 4CF8.tmp 100 PID 4140 wrote to memory of 2760 4140 4CF8.tmp 100 PID 4140 wrote to memory of 2760 4140 4CF8.tmp 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2023-06-04_ac4efeb9f09e844f22a37de5d1a9c505_darkside.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1532
-
-
C:\ProgramData\4CF8.tmp"C:\ProgramData\4CF8.tmp"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4CF8.tmp >> NUL3⤵PID:2760
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3388
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B730EF9C-2C5F-492B-B942-37635BEC9C02}.xps" 1333051227985600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4648
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
129B
MD5a437e9870c8e8e5cdb3fc01a32905332
SHA11e3a3a2da67943545387e1f860035d1ba7d2a869
SHA256f38945b7f1629ad755bab330e3504f301cb38afeb22d62abc52b1042347f267c
SHA512aad153d980380ca7df0095fdd3a3ba02449ccd72e5803dc14b54941531492bb85f15593dbaa7cda76a15f684d8eb8dbd7cef8a3f8db31335f4918a0f8acd22c6
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
599B
MD5a252d99fb46c5547037df1bf2ad28ddd
SHA111ba8f7716fdb5f5930051476539ae2c28c24cbc
SHA2567f4e580bf421dfee139169eadc44fdcf984039576de034664be2df8d2bb6727b
SHA512106beef199df95707dbd23407172b96dc717350578f13edf5ac89551d6974d1705390bff9d66ed2a2ec40ff3ad9888c2d315f7d21cd121980dec21cce73459f3
-
Filesize
146KB
MD562a52f2b932b9742bb9f279a1fc27cae
SHA1b965f805843dae6ebb7c97b643e2c47717b14aa8
SHA25615cc91c33beaa6c2655084b00e21c18c037ab06d19d853b6444b9aef8a98aa40
SHA5128ed59cc30067ba8cecf29363a75d818d8f44290823639a8834702d37f51e085dc06561d0c5893e3bfa97c97460ce3540e6cef38deb13f4ccb1e413aba72f0f9b
-
Filesize
4KB
MD590c371ae05864baa8eaee1efcedb1429
SHA1ae329b68ae98462febf28fd97a35f82b7277b567
SHA256aabd954990b15112992449e5287f2cebfc5c9ceefa87cc9937dd962d20f7d7f3
SHA512107c562487be52d65a1048109589d32ad86c8232daaeacf629c24d19c90f1ee9aebf3060fab04f627610a2a5f6315037ec4a56b180d9662b068ecc89a3cd5234
-
Filesize
4KB
MD59430471cb8d341da2d72471ae7c956a4
SHA1d50b7bdf7d98d056b6ab8170c93ecc6e025635a6
SHA256704aaad48fcc972acdffbc16f0018d84324b29efff868fc0aac14cb223d184a6
SHA51232fe092693be0ad5bc0176243c230044b3ad884df51fa38b992e02af1a89537d28cd850799c2a20dfbcd2a40359e27770e31d06b22ad70da697c61380dadd5e9