Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2024 05:33
Behavioral task
behavioral1
Sample
2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe
-
Size
146KB
-
MD5
6cdf506a22b9a634f7bb4f2b54ca61ca
-
SHA1
7afa7025753afe2c4aa336738f288e0266b316e7
-
SHA256
276c679a4547823b575845ea787a284a6fb1cf0e158c7453818e4d78e00480b4
-
SHA512
92b4a395aabb923589ab4edb3f17157bc4e9d6103af938f1272328018993b3e66e38be7067d492f7fbdf736cd042be22e0a85ee7ea69bbd502af846c2ee4e561
-
SSDEEP
3072:M6glyuxE4GsUPnliByocWepcm3db+CVm64OOpW:M6gDBGpvEByocWejNRVmlOEW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 914.tmp -
Deletes itself 1 IoCs
pid Process 3472 914.tmp -
Executes dropped EXE 1 IoCs
pid Process 3472 914.tmp -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\spool\PRINTERS\PP3z5pg5c0oq097ir0m6hzm0ikb.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPzt_30gm7ik30rvgv3n151o4p.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP8_ef8dyn5xz1gkgpvs6gdcq1.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 3472 914.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 914.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe -
Suspicious behavior: RenamesItself 26 IoCs
pid Process 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp 3472 914.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeDebugPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: 36 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeImpersonatePrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeIncBasePriorityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeIncreaseQuotaPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: 33 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeManageVolumePrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeProfSingleProcessPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeRestorePrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSystemProfilePrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeTakeOwnershipPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeShutdownPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeDebugPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeBackupPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe Token: SeSecurityPrivilege 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE 3652 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 624 wrote to memory of 2608 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 94 PID 624 wrote to memory of 2608 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 94 PID 624 wrote to memory of 3472 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 99 PID 624 wrote to memory of 3472 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 99 PID 624 wrote to memory of 3472 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 99 PID 624 wrote to memory of 3472 624 2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe 99 PID 1092 wrote to memory of 3652 1092 printfilterpipelinesvc.exe 100 PID 1092 wrote to memory of 3652 1092 printfilterpipelinesvc.exe 100 PID 3472 wrote to memory of 4604 3472 914.tmp 101 PID 3472 wrote to memory of 4604 3472 914.tmp 101 PID 3472 wrote to memory of 4604 3472 914.tmp 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-03_6cdf506a22b9a634f7bb4f2b54ca61ca_darkside.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:2608
-
-
C:\ProgramData\914.tmp"C:\ProgramData\914.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\914.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:4604
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2000
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5EBF7978-7394-4438-9DA4-91DC99B8D633}.xps" 1337508562108400002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5cb85f0dbf96533a586f0f194e5612572
SHA18e648ac64919b82018d214c174f0bb6b06f8a606
SHA2564a2d75990c3670df8a67ec41d1876461daaace658a91a5d8f7a313f12796a1ec
SHA512c94282a67d4be6ec664eec6d074a93de6bda02aabf2c0451ba9bcb8eca395c48ec5f09164c3714144966838b15a14b37c9ba5caaff1298276a879f67e4d72e4c
-
Filesize
729B
MD5f0c77cdfe756a350f568b0157dccaf1c
SHA1a4dc7379f8999897cdc4773018f9d6d573131b32
SHA2566677c68827becd4ed1bfcd38adccb6748126dc02a81aa5f85dc560686739d105
SHA5125a105d5c7723dc87396f1329d8a9e63a5ca85cd03011e3cb876fb6f97b542fbd844518974183cf0db44291df169fe92ac1dab85682802dba39a1ea83600d07dd
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5715bd6bb74e2e7b76b47928191076c09
SHA1745fcc307b109d1ab81e1cbc5b7c2e34d5ce8294
SHA2565fce19b106fb3f40f35543dc6621c561d83f56c098ec24c4ef22fcdfa3bd6c5b
SHA512d3b08ee7445aac3ef6a2f43b783edcc7d3510cbf187e9255507edc7177b1e8a852e0dc0d1fc6997737afccecd693e3ac2d13b80e91bb667c9b6990d7fa648082
-
Filesize
4KB
MD5218dd739d305b89d1b4364d9d5016077
SHA1d129590cb4a045957a4e5f3603807acd9ccb2430
SHA25665330a6a81e73d31f5a66272edca74e55185a6c8a214a2fa1fcd663d38b814fc
SHA512e1a082818b06c9ac007ad5612c8b32a89be8eba4bd2bd1a7e96572448dfb422cd698a9042b8cde3d3b6440cc2bac6fca19bbccbe0b974c7520a23a5108852478
-
Filesize
4KB
MD5e85a4ae635ed37ae733b295edb3dad70
SHA133fd1df76d804336e8c005d78b3e7086f999007f
SHA256740dc8c14875801bc8710a2b25ed290358177a1433422300f9194804f872bc6a
SHA5125571fdf82e44f48894430c8011b13c3a7efeeabbb6e9c815253f991f8b6c1001f31d370be41037eede0ded88e615443931753258764c9bd3e900c1f40f5e5230
-
Filesize
129B
MD532dae1ce74e28ad3adde0fd9633bc72a
SHA16d9d704091435a7a6f2cc5fc29a631e5e803ad16
SHA25665a6cb1cdba62fda0cd3fa5dcb6c162ff8196e8ba6f4d99e362af1ba74408e80
SHA512335667bc66c0631cfe7b009af0f212934162ccea28c09d2390cd3ec13bd2e990d5feceb6ed805f5bcb694ccb085c7058a444cb7feb33b201872d13464df6ed0c