b6c7085f5da7f87147f36513dec7aff1b16583f2a45e388984bf36906e690eda

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Size

145KB
MD5

066efab4006f6d7a54704deeb7ec7a2f
SHA1

3d2a9c4a79a803389e84e781325ae3bd1593553e
SHA256

b6c7085f5da7f87147f36513dec7aff1b16583f2a45e388984bf36906e690eda
SHA512

79acd818d804210c83356121ab27e8e29f1aa7fda7d0e210bf8bbe19aceb275c29721933c5801757cc6d11639698fe40c904fbf7994a9f2b60d5ba6dabb50373
SSDEEP

1536:izICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDIYRVAZGB/mEpVQVEl5+mVsXLib:hqJogYkcSNm9V7D3RVAZ8pV2YdVtNlT

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4487.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	4487.tmp

Deletes itself 1 IoCs

Processes:

4487.tmp

pid	Process
264	4487.tmp

Executes dropped EXE 1 IoCs

Processes:

4487.tmp

pid	Process
264	4487.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

printfilterpipelinesvc.exesplwow64.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPpc0s1yx6x3gpt025dp9z0zxic.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPimsg38g1fg9z0ts046f7uxt9d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP60hj6tfx_ij7307fymz8m_gd.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

4487.tmp

pid	Process
264	4487.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

pid	Process
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

4487.tmp

pid	Process
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp
264	4487.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeDebugPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: 36	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeImpersonatePrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeIncBasePriorityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeIncreaseQuotaPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: 33	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeManageVolumePrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeProfSingleProcessPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeRestorePrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSystemProfilePrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeTakeOwnershipPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeShutdownPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeDebugPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeBackupPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
Token: SeSecurityPrivilege	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE
4992	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exeprintfilterpipelinesvc.exe4487.tmp

description	pid	Process	procid_target
PID 100 wrote to memory of 2232	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	88
PID 100 wrote to memory of 2232	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	88
PID 2888 wrote to memory of 4992	2888	printfilterpipelinesvc.exe	92
PID 2888 wrote to memory of 4992	2888	printfilterpipelinesvc.exe	92
PID 100 wrote to memory of 264	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	93
PID 100 wrote to memory of 264	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	93
PID 100 wrote to memory of 264	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	93
PID 100 wrote to memory of 264	100	2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe	93
PID 264 wrote to memory of 664	264	4487.tmp	94
PID 264 wrote to memory of 664	264	4487.tmp	94
PID 264 wrote to memory of 664	264	4487.tmp	94

C:\Users\Admin\AppData\Local\Temp\2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_066efab4006f6d7a54704deeb7ec7a2f_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:2232
- C:\ProgramData\4487.tmp
  "C:\ProgramData\4487.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4487.tmp >> NUL
    3⤵
    PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4864

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{03F7E18F-B2DC-42F6-BF03-8617511114AD}.xps" 133651285067120000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\BBBBBBBBBBB

Filesize
129B

MD5
5e1e23bed202b5cd182f4de010a44ad1

SHA1
4a3809a8895f266d2c99eb2c570b003160b40ee6

SHA256
f8b5bec82ce84f24ab1027076ad6f8782ee1c8c17e5110772d342b1115e2d9c7

SHA512
0a726b000428b77a68f7f62b16802f6ab35b860fc54c09a328cbf21924cc23d1a1f0ed972b2bd783562ce9e1a879c90d59a64b328246188760a6ef46bf802cc3

Download Submit
C:\G1Lm3pdHE.README.txt

Filesize
316B

MD5
badb5c04255506ef313a16e33c04fca6

SHA1
e13fc2a48b144ebccc31654ce7cc31df93238d5c

SHA256
8dbc22187d54f0b8faa07d0ae45c6bfc49fe4d47e40717fae7f253d06fddc059

SHA512
c3d4e7411948625dd1236db390ae74e5719bf03f7818f0949761e09d66124aad3252823966d87e72a30cbb6bc38b059d65fa044ed7fcbbf186fb074d4f67aeac

Download Submit
C:\ProgramData\4487.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
3aaf76473f326d5bca9f37ef2ea03cf9

SHA1
0c831429b95d6e1019eb0073718e1c023f539b32

SHA256
cd13824f4390494c0da32290852625df2f29d35452a2c1aea0e5af690dc741da

SHA512
dd10f5052f4d92a72591ca204b23cad670590cd21646f767b4ba42579dc20aa1e6347986ac8c60802ab92356e3ec84b1ea4dc60cd57d70af4b9ce36916a1e19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D0E5CCA0-4DF2-4F55-9E19-A8C6EB15975D}

Filesize
4KB

MD5
53c0e48d1e0e2e31d15e2641a8431d7b

SHA1
31650b824485f7224c253772b4707a526968f7f0

SHA256
7d080945c84ea175ded583584af23a7035fd2c0557a8f236e2ac1eff3f3ec2cd

SHA512
b43e1f81d97e3902a04255a3195db2522e6a918d1a4009b509b0be6821724f29f4920e5f4eccfac412a5a635c0bd1b5b3032001e76c24a8cdf826b914a1e4b04

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
dfd9e6d298fb54dcb45a9b62fc595d32

SHA1
7416c263a741f1e2b55802bf3adc6acbcd67b980

SHA256
e251739c37e66700218d9d284e65ae713217c65103fa642c8e24e1686c835305

SHA512
fa44783373eb9a5b38b8bcfbcf23585cbc6b998f5b0f7834e690799cde39f6b3d993ce68cc86b9a44f2548ed05c09c9035c8382765283e8b0bd0d620269e4155

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\DDDDDDDDDDD

Filesize
129B

MD5
18bd05f74cf5808e9b1a76903c65dffa

SHA1
168da65af710cfc59f0c6bf3635d6570e63b6614

SHA256
eb03c83ca422f7cf4669284ea1111c48849f26bada0116f796d69665894b4cb4

SHA512
1bfc158dc73883eb1de0e1e2c70a7b3bc5082435b0aaccb6fd9e7cf2cf6d1f1594a284210ae3b696fc17e6fbe58f506c7ab47ca74dfb8734a15ca18fdeb584ca

Download Submit
memory/100-2811-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/100-2809-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/100-2810-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/100-1-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/100-0-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/100-2-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/4992-2829-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/4992-2830-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/4992-2826-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/4992-2859-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

Filesize
64KB

Download
memory/4992-2860-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

Filesize
64KB

Download
memory/4992-2828-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download
memory/4992-2827-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

Filesize
64KB

Download