Analysis Overview
SHA256
b565e9266717161163e884793dc1004f9f2ca94ab0533df9c167d5d188cebf2f
Threat Level: Known bad
The file DArkS.bin was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Drops startup file
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Control Panel
Modifies data under HKEY_USERS
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-08 08:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-08 08:52
Reported
2021-07-08 08:55
Platform
win7v20210408
Max time kernel
18s
Max time network
11s
Command Line
Signatures
DarkSide
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SubmitConnect.crw.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EditConvertTo.tiff.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipAdd.tiff.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyCheckpoint.raw.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnableRemove.raw.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadMount.png.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReadSuspend.png.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ApproveUse.tiff.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConvertFromFind.tif.53411c86 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.53411c86.TXT | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\53411c86.BMP" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 976b0b7040d2f5ca678c5479923a6eba6e605767b5a6e6a799b96d0cbbdbd0b8 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = d5f61c5a23b0aeccf08cf259b165991f583f0cc8ee472cef63e86a82a528d6dd | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 4945d6dad4a6ae8d46e64e73cef06fe701d4bf990a1fd6c36b10779e77b12737 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 1346fb5ad34238b61ab7c71ae02fada059c93fdb17713971c4591fd820087b1e | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 668590a730f6e8c08713fc812cde8091d111c257e987016c4b29e90d6ed80fff | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 8c8f10682bfc33ed560f5135591149b31d9bb33ed3dbda712571723ae656d7ac | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 45bfaf170e6493e1cf7fe3981095eda4511ee5a855297d5efb67d9ed6d5e69b1 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = cb2a54e8fd597e344c0cd4cfa944dfc210b79bfe8ff0abc01b3ccbea2ac4ef1f | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 0196c9c649851b59fe253b3c3aaaf004c2f5ad371bdb9387d5ca5ce09a866c8f | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = c6bd3bc12459ab0d606b7638fd96f3d01656b753bafee2ab3029c1e3108954d9 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = c8aaf00c4e52ae27c918a94a3e7e6476da4bb338a67a2d82e88547b6df16af32 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 8effff708f4a5d0c5b0e5d06e3f7f13c86d849625dc98eb32a2c7e6351b2adce | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fa04e67155b5679cfeeeebbf5f31e316d0f181d3609479fad9386bfcb6cd4565 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 7ac6099963ff0f3d36cc740ca24b2fb875bdad0661d2f717f8a685eb5a428c62 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1be518cf20e13fc35f3f4b6f440a84017a78f5cf104d77aeda8b929b95e3362c | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\53411c86.BMP" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = c4030000d07adfdee773d701 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 3360584dbdc348b69fd4d5e19be3cd1c99e810f653cfb0161236e44266733d60 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86 | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.53411c86\ = "53411c86" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86 | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\53411c86\DefaultIcon\ = "C:\\ProgramData\\53411c86.ico" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker0 job0-1936
Network
Files
memory/1608-60-0x0000000075801000-0x0000000075803000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXT
| MD5 | 4cb1a04be4a8f158bd30c80da609d4b3 |
| SHA1 | 23e93b8549fcd653585aedf30504b652fc827362 |
| SHA256 | 9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0 |
| SHA512 | 29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6 |
C:\Users\Admin\AppData\Local\Temp\LOGS.53411c86\LOG.53411c86.PID-0.TXT
| MD5 | 4cb1a04be4a8f158bd30c80da609d4b3 |
| SHA1 | 23e93b8549fcd653585aedf30504b652fc827362 |
| SHA256 | 9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0 |
| SHA512 | 29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6 |
memory/1936-64-0x0000000000000000-mapping.dmp
memory/964-66-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-08 08:52
Reported
2021-07-08 08:55
Platform
win10v20210408
Max time kernel
46s
Max time network
80s
Command Line
Signatures
DarkSide
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ReadAdd.raw.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetUnlock.tiff.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddUnlock.tif.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MountStart.png.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PushExit.tiff.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetStep.tiff.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StepUnpublish.raw.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnprotectApprove.tif.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DenyUnlock.tiff.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MoveExport.tif.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SendConvertFrom.png.70d4d153 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.70d4d153.TXT | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\70d4d153.BMP" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 72ae8f39aed12f711a400b19a73960c52270fb3def4a5e081dd456e7eaf0dedc | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 056fdb844d23cd0a1fd6c34f9a7da8a9068167dddf8dffcb0ef28aeb623a50d2 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 91bfaf8fc75c95e20f0170a62581230aed1065e4e026dfe7e8c064092212d151 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 08f32c5bc04dce6ec2889bfd826eb94d9a6ffe9105a5faa5cc520313da20288c | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 73540b90adb1f60a7f7684dd37b8353d1b3adbb65bf3a9a95c6640dd1a21210d | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 04b349cd61c2e6db6dbdef19cd2373a121f41b2bdf9c4b6edb656c9ba0958051 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 088274ac31a59d947855a0d37cbf700c6c69d4349058003286a28a952b192534 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ad348e3348c1afa6f73258af353202fba3790a8123919a385685dbfae60f3b90 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 013860bff3ca45cb55ed5db3d1a9f735184519aa3cdf364ca000b3cb28711de8 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 024a6f0a3c71b70f9e0290aa8104e03aba1d8061e53d38ee56ce0d41d04e1ef1 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 3eafd236bf82f4abf354b046fcf255bbfb1ea2c085a9c9684481d320f0559f89 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\70d4d153.BMP" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f8751f1178c034dafb33350fc1f7c0c868f4e01095250ceb9f2c662cfcc49d11 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 47f49960c9ced3689828f00c7aecfd27c3a378d2d0bbb90f2a15ef452419f2d6 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 454671f83bb6887fddbd9bcb341fb159d614db21a1ee5c6ec41a9062ad82eb07 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540069006c00650044006100740061004c0061007900650072005c00440061007400610062006100730065005c004500440042002e006c006f00670000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 667d663ae82c3a97a8da68f23aacaafe35793ab33881c09aaa2d0647bb9f4efb | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = cd5336e88fea984e703cd97daca4051a69f1f6e8c4f5acd036bea8dc3ecf5113 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c00540065006d0070006f007200610072007900200049006e007400650072006e00650074002000460069006c00650073005c0063006f0075006e00740065007200730032002e0064006100740000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d002e0062006c00660000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 464c77407c11f5da79f9ea5fba4a3b6bda12b0ecd3808738c58af0d629a82198 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 9b65db558de9f7375ca85b5cae8ac4e7b3c6354cb11a01268cdb2477442c95c0 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e0064006100740000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 67323090ba74e0359ef2e54908b2d9bd9050e272087f2cf7e70cfc6643acb7ba | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 271d3a136b9d09fbbec7f80b5713de9b6fa6cf3d51a87c244e0ea27902d1231b | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = aecb1766ae72327cea9e8b9f1cf08d2276fbecc213cfe4652adbf5117c6206ac | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 70324fc77d72f46c0c4d483aef50562f5756c1eb842db7cb29c3a577c5ff9c50 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 75f199b9f335899361b2829aa4cb8fc566c6aa288760b63a7a364b173e0ddc58 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 63e2e59670899f4f301d4776ba1aed666876a6f8fce9bee6821085390855c645 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = efb889ebc97cf8e6c0543af1a8e6ef374d573a82ae39e132f7e5a5566a0ccbb3 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 4f39cffb04018ac29b2a6398d8afe5e407cdbddcc1d2f1d539dd6a785add6ca8 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = fb6717653238cd8c74544a54bd043406d5ad6594a11d4552e3b2d9cf5ea6c9ca | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 4c050000fc3f61e7e773d701 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = f3ccd25ca99310d4d891b2afd84c5e20be0f48e50d7c2c65d333b09231c40aa1 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0388d7ed2535ca2abbc431bfdc12e5ffed98ad9515e0e5af09aa51a2f5d26daf | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 037fc139a5eeaa9a19a81553cd67713f6369bb31e9d8b96d37f8893abddaca94 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = bede80216b8bdc9836d7999a60dc3abbb536d8b37078b233bbd4f98d6575f8aa | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00340065003000370034003600360038002d0030006300310063002d0031003100650037002d0061003900340033002d006500340031006400320064003700310038006100320030007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 921b328fefe38c5b63de7ec2a6fd6e947312b2cfec16a6f1094df99295ac08a9 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 4d3f007cb6b02841757b0ec19d0295546cc947ea56735f1bca7ec86cdb88d216 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ba8463c5829a13b76368a1bb1d0924d012f8994ab67ec420b4977b093072d525 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 7122ad7280247e658d2038b5a6a1d43174cc7814c287685ed674a0792f3e1301 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f007200740061006e0061005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 044fad7889588af3fa2d1a813c1670909126cfc3d124d77fc93ae568d822e70e | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 823b6a1e299727bb4e008552fa2bb26f2cf324aa47a140542b9717fcc25b1eab | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c004c006f00630061006c002000530065007400740069006e00670073005c005000610063006b0061006700650073005c004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e005300680065006c006c0045007800700065007200690065006e006300650048006f00730074005f006300770035006e003100680032007400780079006500770079005c00530065007400740069006e00670073005c00730065007400740069006e00670073002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = b46ec7797507d67d5a17174fb0975e7887205e25ef53d4a895d6129ec4a4306e | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c0044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e00670073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000 | C:\Users\Admin\AppData\Local\Temp\darks.bin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "0" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "0" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153\ = "70d4d153" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153 | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153 | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon\ = "C:\\ProgramData\\70d4d153.ico" | C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DArkS.bin.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker0 job0-3304
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe
C:\Users\Admin\AppData\Local\Temp\darks.bin.exe -work worker1 job1-3304
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
Network
Files
C:\Users\Admin\AppData\Local\Temp\LOGS.70d4d153\LOG.70d4d153.PID-0.TXT
| MD5 | 4cb1a04be4a8f158bd30c80da609d4b3 |
| SHA1 | 23e93b8549fcd653585aedf30504b652fc827362 |
| SHA256 | 9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0 |
| SHA512 | 29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6 |
C:\Users\Admin\AppData\Local\Temp\LOGS.70d4d153\LOG.70d4d153.PID-0.TXT
| MD5 | 4cb1a04be4a8f158bd30c80da609d4b3 |
| SHA1 | 23e93b8549fcd653585aedf30504b652fc827362 |
| SHA256 | 9bdf6132b8c630cd38346765661f64398f4744a252640b9227e5257c03ceedb0 |
| SHA512 | 29b3b9ad8e73fad3713184edb460530e435a9340893dea56524f6390570f91e76dfa5783bd5f177f4733dba9c8ae87c13a534038e1d6242859483ba9e664d9a6 |
memory/3304-116-0x0000000000000000-mapping.dmp
memory/1356-117-0x0000000000000000-mapping.dmp
memory/2172-118-0x0000000000000000-mapping.dmp
memory/3124-119-0x00000198726A0000-0x00000198726B0000-memory.dmp
memory/3124-120-0x0000019872A70000-0x0000019872A80000-memory.dmp