Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 12:44
Behavioral task
behavioral1
Sample
2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe
Resource
win10v2004-20240611-en
General
-
Target
2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe
-
Size
152KB
-
MD5
9d321df9405cb926068b683c6523ea33
-
SHA1
d97e101eb8cad867de03bce0034a8a3792924360
-
SHA256
12474618f58fb808fe514e68e7e686185a9d512e469463f331bcde823e997596
-
SHA512
ac45f36a2f2107ebae5974bad12eacb5d4a65ed0d116d1a8d677a1d305e76d5bfebf4af006c75b2186eeb000c91201c04877a536b01215307a3be3ac2af110b7
-
SSDEEP
3072:j6glyuxE4GsUPnliByocWepwiFD78XS9hkEfYL:j6gDBGpvEByocWeyi6XS9hX
Malware Config
Extracted
C:\FSx0EaYuE.README.txt
https://radar.ltd/contact-us
http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/contact-us
https://cybertube.video
https://cybernewsint.com
https://notebin.de/?c75427561d17979e#33HX7GzVDGy35o1CuEv8qokJNibnANUbe2CAM9CLjc9L
https://socradar.io/dark-web-profile-dispossessor-ransomware/
https://x.com/ransomfeednews/status/1793647035888840759
https://alvac.es
https://vimeo.com/752214614
https://hacknotice.com/2022/10/01/alvac-sa/
https://twitter.com/elhackernet/status/1576678217603502080
https://twitter.com/search?q=alvacvimeo&src=typed_query&f=live
https://t.me/elconfidencial
https://t.me/baseleak
https://github.com/fastfire/deepdarkCTI/blob/main/telegram.md
Signatures
-
Renames multiple (634) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 13F1.tmp -
Deletes itself 1 IoCs
pid Process 4252 13F1.tmp -
Executes dropped EXE 1 IoCs
pid Process 4252 13F1.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PPd7qctsc2ljdc0stqoga01msc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPskkkr4_lou1_09mtmhch155oc.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPab1_zt667drnqg1m2_n2y0tkb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\FSx0EaYuE.bmp" 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\FSx0EaYuE.bmp" 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4252 13F1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FSx0EaYuE 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FSx0EaYuE\ = "FSx0EaYuE" 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FSx0EaYuE\DefaultIcon 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FSx0EaYuE 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FSx0EaYuE\DefaultIcon\ = "C:\\ProgramData\\FSx0EaYuE.ico" 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp 4252 13F1.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeDebugPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: 36 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeImpersonatePrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeIncBasePriorityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeIncreaseQuotaPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: 33 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeManageVolumePrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeProfSingleProcessPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeRestorePrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSystemProfilePrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeTakeOwnershipPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeShutdownPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeDebugPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeBackupPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe Token: SeSecurityPrivilege 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE 3312 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4952 wrote to memory of 1892 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 101 PID 4952 wrote to memory of 1892 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 101 PID 1692 wrote to memory of 3312 1692 printfilterpipelinesvc.exe 106 PID 1692 wrote to memory of 3312 1692 printfilterpipelinesvc.exe 106 PID 4952 wrote to memory of 4252 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 107 PID 4952 wrote to memory of 4252 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 107 PID 4952 wrote to memory of 4252 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 107 PID 4952 wrote to memory of 4252 4952 2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe 107 PID 4252 wrote to memory of 692 4252 13F1.tmp 108 PID 4252 wrote to memory of 692 4252 13F1.tmp 108 PID 4252 wrote to memory of 692 4252 13F1.tmp 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-27_9d321df9405cb926068b683c6523ea33_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:1892
-
-
C:\ProgramData\13F1.tmp"C:\ProgramData\13F1.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\13F1.tmp >> NUL3⤵PID:692
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:81⤵PID:828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3068
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{418AEC69-0A3A-4907-AE55-2D2F93157B80}.xps" 1336396586745200002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD503ae121466052cdc49aed8dd45022bd9
SHA10fd1993cc485235f335790245f757248fd4cefa7
SHA256a2448f7b39e61bd13022198281e469cb47842a5d9f5f0771aafec4d5f91c7295
SHA512f6149a473c207af9be1efc7c6da3f4c62f69448af28e9fb9ce4885a2fe74f85ce175084f9e33f04e5ae6e533ea7d370fe035b4dad741831963bdd4753a2f351f
-
Filesize
4KB
MD59faf9305f1f805ffc7b881321e63a996
SHA1a40c68bda510f370c5b716306235f336f59808af
SHA2568262859a0894da8540a8f9716ef6463b3d1834b987dbc8aa51e78c7a0ec2620d
SHA5124e61edea890eb69db9de1024b295228f331428fb6893746e0a3b85f455877534d501ce171b0043288d23896639d28d607ca3b0fb2ea2a0185247b63d4d438173
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
152KB
MD57a855378cac0bc39d8fa4c9c1f966c8d
SHA1a5c405c46eb7dd28bba414876c9c8dd2e67ac0b8
SHA256544426e37820590d90897f0a74e960d7b352efe1414fa768519437fb3d8daf24
SHA5121bc6063202dd9cc838ffe8e8b6f68a41d4289bccce1d1f95d84e57a5bae8903f403582b85badac56e607f9d24d40264c9ca67c4e3dccc7d20542871b5e1ee576
-
Filesize
4KB
MD5169c7216610e784757b608f61576914f
SHA1becba3d9439801a637733f32ea2fbc21c0ed61c6
SHA256722fb1836c46dd06a912c0d6764a397c5bf0e56f6f12dbd411575355ab894c46
SHA51265531654e40c50317492f0d729525a11445fb5e8f07eb03d580e0d701cbe161faaad58c93eff18f6411a46cb7bc7bcb17b9fc0d280aec28dccee667347c308b2
-
Filesize
4KB
MD5f1098952dd75020b4f222f377caf5657
SHA1a884ea5966ece9dc562b27c0d4832d75cabeb0a7
SHA256d3dd22bd47e31c4f054d891dfe6c8b6762c3ded915e117de4f3609fb6aacb4fc
SHA5127d34c88cc5c14f5c875b783b00e58eb5b2db50bbaf33c24977b5f4445b6b1d7a45a6a10a62032562339d5c95fea77ffb97db66ccb20562206b32970385558ba2
-
Filesize
129B
MD5b6a6f07dddff217b58bc575b63f188d0
SHA1d455fba565ba479489b573c23cd4e0a411ad7a67
SHA256f03e5d5aece6a2d061ed79f8d576e23461016f78513f4928affcaa08df939130
SHA512890741e78f5b53da2037d309e2c506b83d1e67f52277c984bbaab2f4b0e470d1bb2215c9026bf81dd910ccf17ca41da9c48d26f16c1fb9a7931d0c33b201a01c