Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 15:14
Behavioral task
behavioral1
Sample
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe
Resource
win7-20240221-en
General
-
Target
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe
-
Size
146KB
-
MD5
b68bf58ebf923d66ba30f4c892ff59d5
-
SHA1
3cb43567b90fd56edf0123cea2f46cc1b1290a83
-
SHA256
c0afa7d1d390d4d6310be70c31a01fb668521fb33a2b3239e41f3e8231451eac
-
SHA512
50eca65bde5718004694a33460ee5895b7fc9ce1679387399de739772982f93b07d28c939f314bc6edf22a7ee9f0391424dc92062af8c19eaf4349593ab45d50
-
SSDEEP
3072:96glyuxE4GsUPnliByocWep/7pwO8OlP6:96gDBGpvEByocWehPTy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
D0C.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation D0C.tmp -
Deletes itself 1 IoCs
Processes:
D0C.tmppid process 1428 D0C.tmp -
Executes dropped EXE 1 IoCs
Processes:
D0C.tmppid process 1428 D0C.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PP7wn8itlda1wdtcbxafgp7d7wb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPh0jaylcpv2m4k5m93gitgdjld.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPkg6olrnyc705vluhii6gztrxb.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exeD0C.tmppid process 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 1428 D0C.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exepid process 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
D0C.tmppid process 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp 1428 D0C.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeDebugPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: 36 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeImpersonatePrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeIncBasePriorityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeIncreaseQuotaPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: 33 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeManageVolumePrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeProfSingleProcessPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeRestorePrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSystemProfilePrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeTakeOwnershipPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeShutdownPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeDebugPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeBackupPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe Token: SeSecurityPrivilege 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE 3804 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exeprintfilterpipelinesvc.exeD0C.tmpdescription pid process target process PID 4924 wrote to memory of 1992 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe splwow64.exe PID 4924 wrote to memory of 1992 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe splwow64.exe PID 2964 wrote to memory of 3804 2964 printfilterpipelinesvc.exe ONENOTE.EXE PID 2964 wrote to memory of 3804 2964 printfilterpipelinesvc.exe ONENOTE.EXE PID 4924 wrote to memory of 1428 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe D0C.tmp PID 4924 wrote to memory of 1428 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe D0C.tmp PID 4924 wrote to memory of 1428 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe D0C.tmp PID 4924 wrote to memory of 1428 4924 2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe D0C.tmp PID 1428 wrote to memory of 2636 1428 D0C.tmp cmd.exe PID 1428 wrote to memory of 2636 1428 D0C.tmp cmd.exe PID 1428 wrote to memory of 2636 1428 D0C.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-13_b68bf58ebf923d66ba30f4c892ff59d5_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1992
-
-
C:\ProgramData\D0C.tmp"C:\ProgramData\D0C.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D0C.tmp >> NUL3⤵PID:2636
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3584
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FBD4FDDC-1799-4080-AB23-2B495EC67C7C}.xps" 1335481651338400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ae7915ec1e469888401ffc1bd5a7ef9a
SHA1729ffed25005716ae17441088f4eb2d7e7acc73a
SHA25662390ea6672eb242fcc7391dbeee43e2ba0c3e2d2bb377e4e8ec17cea63947e3
SHA51250921d57021e9f6f111c8dd3dccd8ece5e91c710840b0abc0207e801cbace9a7b4a3bba51c988154ba12d2cd778c7bc0159581fa6d39f41b4a2c324b6bdcacbf
-
Filesize
732B
MD53c30a01742ea1df843789b45788be189
SHA1fccfb826237ba1d9bf28c938837b76522b864532
SHA256d3ac4e88de00362317d3aff94930598ef32d3da8d67eebbf03f01d19fd297876
SHA512b0bc1a90f83813d4b9c8ee01b5c718381bfef2675140602753a24c033fa3b352e68a556988d4bc3d718d08a1564245bd634f26e96095e94c1605a9213d570a2f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5ab37d27f5a2fdf24ccaf91ade1f96b6a
SHA12029cdb52d7216ea5c79d4974a2630a6d98f38f1
SHA2568fe62239224687d2728e00fd047237c76fac41cdc37fbad67227ed08f3e295e5
SHA5120e3a37f0d449874b00f6bc9bcd6c137d939e8230da32fa601fcedb3253d4240aaf72353947f1821cea60b052b3eade2302fd0eea16161e88c0783bef62996005
-
Filesize
4KB
MD51b9535c7df4f92e3c836a234a89a5614
SHA1a86ca7ede9eaa11e2ae0452f1257a6f7298febe8
SHA256d19c9a109966b4aee274e7c2f0253fd146d83b31db16f780c00451b86e21db7b
SHA5120ca63ccb9e71787f0aaca1e4205d87903bfe61465ecaa7e78d0c066cdec2c9e2d5f5dd4c98456a483b06607106d7da5b2c1d832b6681f19cb3c12054155c73a8
-
Filesize
4KB
MD56889a9288f74e3aeaa9cbdd9914b4b73
SHA1633fe07dc8479df849dabc1698e11e7442b9c68e
SHA256d8a1bcda46149cf1db09d2db349dae09da9939c8f06541249a0f5fa5b903f3c5
SHA5126612fa7d0a1af82aa52c52e5284da8674de3aee577f5b78b7c3d5045c4f63b2aef42b14a08edb37fb4d43c0de847d9d15fecf9db5997985769193bb7035c5df9
-
Filesize
129B
MD55bf01a57f80a8b802ff42b7cef1baaba
SHA149e7d2cc79e18feb9e06ee0adb7d676b5896307b
SHA2567dff78ae76c4966cbb596f89b1b177beed733c42d2ade8ca9591bd59d3bf490f
SHA5129e95744f0e01269e0b9ff1888749a44f1bacf0e4107d6f56223056dba65e9cfcaf23874d0df18ff5d16cc0f226d0db86f3bee9d2026efe5a17629505dd0650a5