b47c02aacbc56df31a533706f45afa945600f1a7d2b3ed8831cef0581104c177

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Size

145KB
MD5

dce3f6e158f2b52da18c994cd8a2ab3a
SHA1

55f3794996bfede256110c5b21b885727c865e4d
SHA256

b47c02aacbc56df31a533706f45afa945600f1a7d2b3ed8831cef0581104c177
SHA512

2b9484bc41ed41cc33e5cbf11451f4c7f9f2c49ff7066d3e9a1c1eadc69488ce53fcb52bde2aac190d1db38a023b3426724bfb11c440d2c94d84048e92a070af
SSDEEP

3072:PqJogYkcSNm9V7DqOyY4lX7u1f8CNixMKT:Pq2kc4m9tDtK

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (618) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EDDB.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	EDDB.tmp

Deletes itself 1 IoCs

Processes:

EDDB.tmp

pid	Process
4956	EDDB.tmp

Executes dropped EXE 1 IoCs

Processes:

EDDB.tmp

pid	Process
4956	EDDB.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\desktop.ini	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPy1z71hjcse004g7p8iag0e0_.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPa80v7165hbwt2mwm0bud7n_jb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPfrew_v43wbs_962a77d7gu8nc.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

EDDB.tmp

pid	Process
4956	EDDB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

pid	Process
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

EDDB.tmp

pid	Process
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp
4956	EDDB.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeDebugPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: 36	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeImpersonatePrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeIncBasePriorityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeIncreaseQuotaPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: 33	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeManageVolumePrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeProfSingleProcessPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeRestorePrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSystemProfilePrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeTakeOwnershipPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeShutdownPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeDebugPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeBackupPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
Token: SeSecurityPrivilege	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

ONENOTE.EXE

pid	Process
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE
1908	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exeprintfilterpipelinesvc.exeEDDB.tmp

description	pid	Process	procid_target
PID 3116 wrote to memory of 312	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	89
PID 3116 wrote to memory of 312	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	89
PID 4160 wrote to memory of 1908	4160	printfilterpipelinesvc.exe	92
PID 4160 wrote to memory of 1908	4160	printfilterpipelinesvc.exe	92
PID 3116 wrote to memory of 4956	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	93
PID 3116 wrote to memory of 4956	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	93
PID 3116 wrote to memory of 4956	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	93
PID 3116 wrote to memory of 4956	3116	2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe	93
PID 4956 wrote to memory of 4388	4956	EDDB.tmp	94
PID 4956 wrote to memory of 4388	4956	EDDB.tmp	94
PID 4956 wrote to memory of 4388	4956	EDDB.tmp	94

C:\Users\Admin\AppData\Local\Temp\2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_dce3f6e158f2b52da18c994cd8a2ab3a_darkside.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:312
- C:\ProgramData\EDDB.tmp
  "C:\ProgramData\EDDB.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EDDB.tmp >> NUL
    3⤵
    PID:4388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2220

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{765F4337-1F72-4F21-BBD4-1C5CCE951401}.xps" 133651288930560000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3419463127-3903270268-2580331543-1000\EEEEEEEEEEE

Filesize
129B

MD5
2a8a472b05b723374b69f44943b39306

SHA1
b72c0302829326199d337a545aaa0ea68f309f2e

SHA256
33a91227cfb24375d557d79e9dd20cdea8fd5f6f42af8790779c04bf41c5ceda

SHA512
d78df05a4fbd3e0e70f9a9df2911c8b1f10da79f3d8a56d98c2f31f5834562ec56e97b7fdb451cffc9fb018853b624d6b665a62d3fc9e5b389165bd90828e221

Download Submit
C:\FpDmOeve6.README.txt

Filesize
316B

MD5
322033fa18cc95985b0bfb902f484547

SHA1
52f8695eb0f765e0a6671fe7bf41a66982850503

SHA256
7198c97be4303b5bc56e5f84082f9b56a990558e82915c5aec585f78d3f63631

SHA512
2038a0eeb55719bb329d7c64213670eed3b9b837ca79dee95b3c6d764e0bd1d3d9d06217f5edbd4b33b1e8797e7020c8e0d1115b0c85e3117fb81ffb293da15e

Download Submit
C:\ProgramData\EDDB.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
145KB

MD5
e50fba3303ad9c371b3a93f117ebaf93

SHA1
b350170525653a167eb3bd2902020ee04a4ba50c

SHA256
0f5ef651cbdd29bedb30ff85b05f4fb52b4e6cd719f516d9c3a396e4c3f0854a

SHA512
a037d8ca76aed60bcb695644b1a9deebfd471bb75e3fa41487a5bb973a73ad782f5f97c0abca0e0875396500e1cc3ad46e66b3e1340239ca4aeb6f13fc68a346

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
7d63a4ce97acaaee6cf421a256f66f0c

SHA1
1c2fa248c1bd7a48ff64997ca74436e561c10633

SHA256
4537671fba24db462c1a3e754317b4700dd09f6634051fdd6b8b7317e3869d0c

SHA512
10da0b20ace8cdbaa1b50a4026ec1e66afba6353c00dd4b57a61262017e9a1e82c907e39fe31c43721acb1902f1c31d4ab216f786b0c543d61af652c742408bd

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
f4a41a0ddd2196401d8344365c7c76d6

SHA1
6b740f8015e5edafe984d31252351c38d4ce2368

SHA256
9655a052cd52986810294eeb467af5d767c2a777e7f96f4802075f66d1a1acf4

SHA512
0d557c45df25b56665468233725c63b7569accbfbfc39229d820fcb09959a83e3595550d6230f82101309e897a9cee924949b138c32068e504a89f6e2aa6e3c1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3419463127-3903270268-2580331543-1000\DDDDDDDDDDD

Filesize
129B

MD5
bbe62536110da06bba4fc6a3c7922360

SHA1
9f51d68c190c4419a57674b831b47daa0f57b3d0

SHA256
889941db797f7411d02584ab2e61de2f292d77d69023ec659d35a45539cf64e8

SHA512
f3ba062f1f018ee1a8b193fe548aa0a020d513e4ed4732c394837b0dbe7ca6cec235d26fa83bcc872e4cd8a40e4bd4a9624dbd9b226438d472f312c826c422f8

Download Submit
memory/1908-2948-0x00007FF8CDD10000-0x00007FF8CDD20000-memory.dmp

Filesize
64KB

Download
memory/1908-2947-0x00007FF8CDD10000-0x00007FF8CDD20000-memory.dmp

Filesize
64KB

Download
memory/1908-2949-0x00007FF8CDD10000-0x00007FF8CDD20000-memory.dmp

Filesize
64KB

Download
memory/1908-2946-0x00007FF8CDD10000-0x00007FF8CDD20000-memory.dmp

Filesize
64KB

Download
memory/1908-2978-0x00007FF8CBBB0000-0x00007FF8CBBC0000-memory.dmp

Filesize
64KB

Download
memory/1908-2979-0x00007FF8CBBB0000-0x00007FF8CBBC0000-memory.dmp

Filesize
64KB

Download
memory/1908-2945-0x00007FF8CDD10000-0x00007FF8CDD20000-memory.dmp

Filesize
64KB

Download
memory/3116-0-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/3116-2-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/3116-1-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download