Malware Analysis Report

2024-10-16 03:29

Sample ID 210901-txyngqh4rj
Target temp.file
SHA256 bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893
Tags
darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893

Threat Level: Known bad

The file temp.file was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer

DarkSide

Modifies extensions of user files

Reads user/profile data of web browsers

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-01 11:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-01 11:01

Reported

2021-09-01 11:05

Platform

win7v20210410

Max time kernel

21s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushDebug.tif.949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\RepairProtect.png.949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 60b0f85e209fd701 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-d1-18-28-d1-3b\WpadDecisionTime = 60b0f85e209fd701 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-d1-18-28-d1-3b\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-d1-18-28-d1-3b\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-d1-18-28-d1-3b C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\ae-d1-18-28-d1-3b C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

C:\Users\Admin\AppData\Local\Temp\temp.file.exe -work worker0 job0-1172

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 baroquetees.com udp
N/A 8.8.8.8:53 baroquetees.com udp

Files

memory/1068-60-0x0000000076661000-0x0000000076663000-memory.dmp

memory/1172-62-0x0000000000000000-mapping.dmp

memory/1672-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-01 11:01

Reported

2021-09-01 11:04

Platform

win10v20210408

Max time kernel

21s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveRegister.tif => C:\Users\Admin\Pictures\ResolveRegister.tif.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockConvert.png.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\CopyReset.raw => C:\Users\Admin\Pictures\CopyReset.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\MergeUnregister.tiff => C:\Users\Admin\Pictures\MergeUnregister.tiff.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartEdit.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\SplitRedo.png.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\StopEdit.raw => C:\Users\Admin\Pictures\StopEdit.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\CopyReset.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\SplitRedo.png => C:\Users\Admin\Pictures\SplitRedo.png.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopEdit.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\BlockConvert.png => C:\Users\Admin\Pictures\BlockConvert.png.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteDisconnect.tiff => C:\Users\Admin\Pictures\CompleteDisconnect.tiff.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveRegister.tif.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File renamed C:\Users\Admin\Pictures\RestartEdit.raw => C:\Users\Admin\Pictures\RestartEdit.raw.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\70d4d153.BMP" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Control Panel\International C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\70d4d153.BMP" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153\ = "70d4d153" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\70d4d153\DefaultIcon\ = "C:\\ProgramData\\70d4d153.ico" C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.70d4d153 C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\temp.file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

"C:\Users\Admin\AppData\Local\Temp\temp.file.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

C:\Users\Admin\AppData\Local\Temp\temp.file.exe -work worker0 job0-3248

C:\Users\Admin\AppData\Local\Temp\temp.file.exe

C:\Users\Admin\AppData\Local\Temp\temp.file.exe -work worker1 job1-3248

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 baroquetees.com udp
N/A 8.8.8.8:53 baroquetees.com udp

Files

memory/3248-114-0x0000000000000000-mapping.dmp

memory/184-115-0x0000000000000000-mapping.dmp

memory/940-116-0x0000000000000000-mapping.dmp