Malware Analysis Report

2024-11-30 11:30

Sample ID 240225-wf48haad5t
Target 2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside
SHA256 b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b14a55a5dbc52dc58ee5447ced1caaac304e77aca7b5805a25456e2c2338309f

Threat Level: Known bad

The file 2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (327) files with added filename extension

Renames multiple (593) files with added filename extension

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 17:52

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 17:52

Reported

2024-02-25 17:55

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe"

Signatures

Renames multiple (327) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\BD66.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\BD66.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Huq5PATQS.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Huq5PATQS.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS\DefaultIcon\ = "C:\\ProgramData\\Huq5PATQS.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Huq5PATQS C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Huq5PATQS\ = "Huq5PATQS" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe"

C:\ProgramData\BD66.tmp

"C:\ProgramData\BD66.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BD66.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

N/A

Files

memory/2876-0-0x0000000002170000-0x00000000021B0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

MD5 d03c77f3d805609957d5436db9c1323d
SHA1 a7dbd2058b964830ba08a291df13a6007c875511
SHA256 ab86130fdf996231f922bb8e3a51923565922f08f2e1106962cc0b5135a0509a
SHA512 bdfa21d669b9a27f75e398f643cb54f5d46221baaf6351c6a56e515c99799fc901f3b531e5a285a2d6f29b1699a8d2dabcc0b00e4a96ca003d6407b4e6cdb12b

C:\Huq5PATQS.README.txt

MD5 10255dc4dd443acee1928a2f1910c9da
SHA1 9c827642288316bf096ccbd3e4dca83c13225a84
SHA256 997242146adc5cd1f6ca51a73d2040a5c6770f34a7562defe6ca75989f318545
SHA512 7030e49dc11e5d1a7b367d4cf851e1de56967e3bd106cf57a4352c61ddb0feddd2c1e18d9aebcfdb1f4d47940898a68dd5baa35293475021fe68d9e61d32282b

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\NNNNNNNNNNN

MD5 9eeb445dbc585673f28bfff1536b5cd8
SHA1 429bc90727dec01162db11a88c5c92b69cd59ad0
SHA256 d2667483370f30a4008bf62372b9166772b395781662ea4e0f79c56620d874d4
SHA512 6e2eaf3594295519c180c7df8b3de0c394c0047a17ef296da8a5933d1c476a2064c3c7d35f59d008f872d0bd545eac8812d3ab4c9b4140034e459087667556ce

C:\ProgramData\BD66.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1972-844-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1972-846-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/1972-847-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/1972-867-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1972-868-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1972-863-0x000000007EF80000-0x000000007EF81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

MD5 b021915493a2c5b9a8486fcfb6ef9b20
SHA1 41e57d94e332936369a1c05f4249790049b6ec7c
SHA256 a10ee16e839497d46f2c496fea81421c1c45e50f36826d420d8b955bafa46353
SHA512 eb44bddfc6fe30e5ce1bb792157099e0f8409a790d4aab2acf991042e11556ef46830f549821ff726303b572a4b631b15c19f22d1be8bfeef40a2dd127d19afe

memory/1972-879-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1972-880-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/1972-881-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 17:52

Reported

2024-02-25 17:55

Platform

win10v2004-20240221-en

Max time kernel

93s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe"

Signatures

Renames multiple (593) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\ProgramData\4D84.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\4D84.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\4D84.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2132103209-3755304320-2959162027-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2132103209-3755304320-2959162027-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Huq5PATQS.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Huq5PATQS.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Huq5PATQS\ = "Huq5PATQS" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Huq5PATQS\DefaultIcon\ = "C:\\ProgramData\\Huq5PATQS.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Huq5PATQS C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-25_cd7d7812314f54d00bd58b2992e2c266_darkside.exe"

C:\ProgramData\4D84.tmp

"C:\ProgramData\4D84.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4D84.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp

Files

memory/3344-0-0x00000000011B0000-0x00000000011C0000-memory.dmp

memory/3344-1-0x00000000011B0000-0x00000000011C0000-memory.dmp

memory/3344-2-0x00000000011B0000-0x00000000011C0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2132103209-3755304320-2959162027-1000\AAAAAAAAAAA

MD5 80b0b0727fbb3808b5e9f98680073d82
SHA1 01eb09c827d3dcc5d910816f7d0b571f8807d49c
SHA256 e2879d73dfe8c0ed3fceb62df124c7a98c05fd229e44b33190c1db4a27fb28db
SHA512 642680ae8dca097610f13ce1e9f1c24acc9ae8c5ca3945d0fcec4935ac00b043954f4486ba3631dc9c42ba40b6c222cb998c51759a4b13f2e16071ff24681bb5

C:\Huq5PATQS.README.txt

MD5 37d3ad87be525d2a618d3718b9375ab8
SHA1 53149e17e84c58af0cebc7e841fa40cb801f95e5
SHA256 ae0ccb1b5c9429c761ddfa5b196565e8b7ca3a4c1865bbdb9570f6061a9922d0
SHA512 c841c0b5d800c5f78dc168fa81a71afea317b7c5ba055d19e1f32b8c5fd3442c8821633470373fd21c3303cd7cc9177595aabe4d90d4e63cf06779793a96cd59

F:\$RECYCLE.BIN\S-1-5-21-2132103209-3755304320-2959162027-1000\DDDDDDDDDDD

MD5 62b07d43fa9bbc29964bf650506023c0
SHA1 dd55929fc1e90d6b7822f37b3f1b935f5a0a9c27
SHA256 92db15a954d75948941af3adcd99b65199bd479f821835fb25c5f626ac0c702e
SHA512 3d8b0689f5b0093ef7c7b7cca28cfd73040ef7f51c75eb5af00d09f15d9d481ec0718a5f519ddad25d1f43e641fb62366c146f7b950c3a95c26783e373fdb6de

C:\ProgramData\4D84.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1728-2759-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1728-2760-0x0000000002400000-0x0000000002410000-memory.dmp

memory/1728-2761-0x0000000002400000-0x0000000002410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

MD5 4ad7f5227e2747f773f1abe2a6615f34
SHA1 83bc2a5f375675557ec8315bd3e3fbff95142ea3
SHA256 f5aaa56bc5baf14d9c156d5d64030714a30183fab329290c4dfe19278e32caf1
SHA512 24c7bacde17458c6c391a80831a59b632d55c5773cbc401ce08a6975e0296be19681407e691fac01450fd42a29333fbd611ee3a3dab08bbd89e33b87036d2ba0

memory/1728-2767-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1728-2772-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

memory/1728-2793-0x000000007FE00000-0x000000007FE01000-memory.dmp

memory/1728-2792-0x000000007FDE0000-0x000000007FDE1000-memory.dmp