darkside | f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Size

56KB
MD5

3f2cb535fc5bc296aa5b0d2897c265d0
SHA1

c30358563fa940eb5cd6064d4d16defee43b0310
SHA256

f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4
SHA512

6fc3a98f16f4fbd2e6bd4211c35b403ed565d6b30f803e6da04e14efe018aca09719256f1e8a2c8a5763a7bac08de3be964eb6251d858df0f6261f82b3f2f7a2
SSDEEP

768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLC9kvAx0:g4HHerjZX7pLjJKjSO+i

Score

10^/10

darkside ransomware

Malware Config

Extracted

Path

C:\README.59b738aa.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (168) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5HSBCVBW.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10887CBE30A9CC95557BE8BA75C22DFA	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ZMOGYOLV.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4GERY54W.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\488B96E8949F53FFFD5CC8FC00A703E9	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\488B96E8949F53FFFD5CC8FC00A703E9	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\LHS56WS7.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10887CBE30A9CC95557BE8BA75C22DFA	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4GERY54W.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5JVMN8DQ.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5JVMN8DQ.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ZMOGYOLV.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\LHS56WS7.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\554DDTHD.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\554DDTHD.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5HSBCVBW.txt	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\59b738aa.BMP"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 4348589c81e90aba89984762d344c6e6522edc1f7df16c350c39c26302cf3976	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 3d4c9c7c29b1d75acce8539c077ab464f3fa165a4c820c69e1060c814605851d	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5eb5362e18d9244d9343a98acc4a0f9b93bbb7f744136230615b48840a55f9a4	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\5e-6d-4b-d7-b9-1b	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecisionReason = "1"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3a571ac14caccff170f1f4a18cffaa12d6083b935bef52f8ae5e895c43ce98d2	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 066a5dbb2dfd8c836f91c2234bafb336a5d6b4ef9ed4c183d74e90a0efda866e	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecisionTime = 70317a193096da01	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\59b738aa.BMP"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 6a0a937472c3a26f1f535cfb94f4a58d98160a2d5e31045185909270c418fd2c	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 5d8f60cf0dcf6a6a5fbf482e103212d438cef3bc46399b9a6ca2c58d0d943ee7	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.59b738aa\ = "59b738aa"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\59b738aa\DefaultIcon	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\59b738aa	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\59b738aa\DefaultIcon\ = "C:\\ProgramData\\59b738aa.ico"	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.59b738aa	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
2984	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
228	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2732	vssvc.exe
Token: SeRestorePrivilege	2732	vssvc.exe
Token: SeAuditPrivilege	2732	vssvc.exe
Token: SeDebugPrivilege	228	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2000	2084	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	29
PID 2084 wrote to memory of 2000	2084	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	29
PID 2084 wrote to memory of 2000	2084	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	29
PID 2084 wrote to memory of 2000	2084	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	29
PID 2084 wrote to memory of 2000	2084	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	29
PID 2000 wrote to memory of 2984	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	34
PID 2000 wrote to memory of 2984	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	34
PID 2000 wrote to memory of 2984	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	34
PID 2000 wrote to memory of 2984	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	34
PID 2000 wrote to memory of 2996	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	35
PID 2000 wrote to memory of 2996	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	35
PID 2000 wrote to memory of 2996	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	35
PID 2000 wrote to memory of 2996	2000	f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
"C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
  "C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
    C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe -work worker0 job0-2000
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe
    C:\Users\Admin\AppData\Local\Temp\f3f25af554bedfa4ee2824bb858280282bd87828d446048619dc49fe061741b4.exe -work worker1 job1-2000
    3⤵
    - Enumerates connected drives
    PID:2996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\README.59b738aa.TXT

Filesize
3KB

MD5
164aa420be8e0c2bcdef574355edaa32

SHA1
4336eaafedfc18a27cdf42bffad63b5a54ea8231

SHA256
b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d

SHA512
fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d

Download Submit
memory/228-258-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/228-259-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/228-260-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download