59df766d70769ab099af2c4baddef908b86df1052251f0e1dfb62ac7d1eea91a

Analysis

max time kernel
95s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Size

145KB
MD5

96e3e3d9ebe4d58cd95eb228435fb963
SHA1

abdc64e951191b76aca54288c7f8fa73815e3595
SHA256

59df766d70769ab099af2c4baddef908b86df1052251f0e1dfb62ac7d1eea91a
SHA512

b6c1e815b54bafd5f23b3141e7fadfe6577f2b860afe9116a26cae9a125ec4367a30aac82680241c672a824e53b4b8afdae361d14360dbed1bef71cecfae592f
SSDEEP

3072:+qJogYkcSNm9V7Dt1IGupuEE5MuJHkyT:+q2kc4m9tD4Gua5k

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (610) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F231.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	F231.tmp

Deletes itself 1 IoCs

Processes:

F231.tmp

pid	Process
6184	F231.tmp

Executes dropped EXE 1 IoCs

Processes:

F231.tmp

pid	Process
6184	F231.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0p5x7gr1vvlk0i8c90q8qe2e.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPfc603x9wqhu2d81l2gh5ich0d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPgtdsr23daieexl9aov_mtbtde.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F231.tmp

pid	Process
6184	F231.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

pid	Process
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

F231.tmp

pid	Process
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp
6184	F231.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeDebugPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: 36	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeImpersonatePrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeIncBasePriorityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeIncreaseQuotaPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: 33	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeManageVolumePrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeProfSingleProcessPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeRestorePrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSystemProfilePrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeTakeOwnershipPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeShutdownPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeDebugPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeBackupPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
Token: SeSecurityPrivilege	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE
6168	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exeprintfilterpipelinesvc.exeF231.tmp

description	pid	Process	procid_target
PID 4012 wrote to memory of 3680	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	89
PID 4012 wrote to memory of 3680	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	89
PID 1872 wrote to memory of 6168	1872	printfilterpipelinesvc.exe	92
PID 1872 wrote to memory of 6168	1872	printfilterpipelinesvc.exe	92
PID 4012 wrote to memory of 6184	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	93
PID 4012 wrote to memory of 6184	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	93
PID 4012 wrote to memory of 6184	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	93
PID 4012 wrote to memory of 6184	4012	2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe	93
PID 6184 wrote to memory of 6508	6184	F231.tmp	94
PID 6184 wrote to memory of 6508	6184	F231.tmp	94
PID 6184 wrote to memory of 6508	6184	F231.tmp	94

C:\Users\Admin\AppData\Local\Temp\2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_96e3e3d9ebe4d58cd95eb228435fb963_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3680
- C:\ProgramData\F231.tmp
  "C:\ProgramData\F231.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:6184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F231.tmp >> NUL
    3⤵
    PID:6508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3576

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5B22E047-AD48-4D6D-A185-5C4C69C17BD7}.xps" 133651287648540000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\HHHHHHHHHHH

Filesize
129B

MD5
8a958495e51656d7c4fc71fd3442a9bd

SHA1
4f82e5494124ccc96c498cc55e07b2113662a5a4

SHA256
d06e96f254d7028143218875339bbd180658e66e66880eb2774d8cc2df4bac7a

SHA512
60096a2505cf7651de06e54d82748660fe60ac4d9eaf2d5c30ea4a49839e0c0ea200a916ca175b1eb80656d4ff258b193156d832aeab2e12138ce0bc4dacbe30

Download Submit
C:\ProgramData\F231.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Teq3MqmIA.README.txt

Filesize
316B

MD5
5dbcada2b420d03e685e998741f6a33a

SHA1
61fdaabe3547a8f3951dca743d32b6194ca91cc7

SHA256
bd6535da63c759b3260345ebd4166b68f4f6a595736b9b71a505e2c251da49d9

SHA512
5358c55e0271b12684020635f43414e5c6a8d2ca5692e41f365ed9a51fbc1afe1700340121fa1a347d3ee2f1350d354d8d6fb9fda632e0d8723a7387d067798f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
8f0bd1915f7900f89210d6ba865c6a7e

SHA1
ef7f71d3e0afb66624a86635f49e54a4110cc871

SHA256
b86f567c0e56c51fe83a6cfbec3c2a864f8e2889876488d3c2e4c1d99a60d9d6

SHA512
60dc4c397b65d3ad58b89b9acf3c63179e626556d846171f2f26a682d29f518fcbd78e53d673e5e1eb42d7b577e4e8e90c4db6325fe50dae11e2941b46b7efbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6F935382-3ADA-4393-AEA6-1246EFE24B51}

Filesize
4KB

MD5
4986727194113bd7fc953931de54b5e0

SHA1
6988a76244dd28a4bb71a7e412691d0b4bab12b2

SHA256
b6a1375686741c5c0263ca3881831f39e6638b13e6a83ddc4cc804a8e131e6b6

SHA512
0fb28270ea5d7a4dc5e9039dd815b796af69875d5ffea989dec0ff84bb56ad7a46964aef4d0e53d454e471cde4fa81274ffabc150cb5b99e166dfdce32d9ee0c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
b38cee607087ee83c3ab823d81e76bb0

SHA1
2264fac097908c74b779116aff7ec1fddaec3688

SHA256
18917141c52c607631a2605fd5e64f7a3480d3fb72cfaf1cc0ad22877d203b41

SHA512
32b70591ca77edb73b3c1c878029cc7f84cf0361a5def5794f36a69721174f074ff08709edb25caec72863217ab521724fb527a083b10dd24a67a5b13361c23b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\DDDDDDDDDDD

Filesize
129B

MD5
42bd40aa48d56e1e4da0ec43aab564db

SHA1
7737de4d479193ff54ffa6f9e234ab82195b7ca8

SHA256
49d4a2b8d42cf0454855b4b304c5f43c852f6a7b81918a07c8903c66ad57710d

SHA512
e5c0fa006daf8d926d7ddcddab2c458c18f93d68914726247f3c7e2015b5bab0729fc7e4643fe7ff3ac4b17f4dfe6d6ecc777b19655659f187407405fb5da4b3

Download Submit
memory/4012-1-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4012-2-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/4012-0-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download
memory/6168-2966-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

Filesize
64KB

Download
memory/6168-2967-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

Filesize
64KB

Download
memory/6168-2965-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

Filesize
64KB

Download
memory/6168-2996-0x00007FFBCE060000-0x00007FFBCE070000-memory.dmp

Filesize
64KB

Download
memory/6168-2997-0x00007FFBCE060000-0x00007FFBCE070000-memory.dmp

Filesize
64KB

Download
memory/6168-2964-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

Filesize
64KB

Download
memory/6168-2963-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

Filesize
64KB

Download