Analysis Overview
SHA256
9a18fdec476ae659ae5d79a06c9fdf7f0a36e685430a9bc2b59418604bf785ad
Threat Level: Likely malicious
The file Ransomware.Win64.Darkpower.zip was found to be: Likely malicious.
Malicious Activity Summary
Modifies extensions of user files
Deletes itself
Reads user/profile data of web browsers
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-31 17:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-31 17:30
Reported
2023-03-31 17:32
Platform
win7-20230220-en
Max time kernel
83s
Max time network
37s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\WriteSubmit.tiff | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteSubmit.tiff => C:\Users\Admin\Pictures\WriteSubmit.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallUnprotect.png => C:\Users\Admin\Pictures\InstallUnprotect.png.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DenyProtect.png => C:\Users\Admin\Pictures\DenyProtect.png.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OpenConnect.raw => C:\Users\Admin\Pictures\OpenConnect.raw.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StepEdit.tif => C:\Users\Admin\Pictures\StepEdit.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockOut.raw => C:\Users\Admin\Pictures\UnblockOut.raw.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StartSet.raw => C:\Users\Admin\Pictures\StartSet.raw.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
Reads user/profile data of web browsers
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | C:\Windows\system32\cmd.exe |
| PID 1092 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | C:\Windows\system32\cmd.exe |
| PID 1092 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
Network
Files
memory/1092-54-0x000000013FA50000-0x000000013FB7F000-memory.dmp
C:\Users\Public\Libraries\readme.pdf
| MD5 | e7a1ded35fa8603ad2d8ea413ed70822 |
| SHA1 | 8e51bc110584663dc297af70b76173b9a05bb39e |
| SHA256 | c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28 |
| SHA512 | e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4 |
memory/1092-376-0x000000013FA50000-0x000000013FB7F000-memory.dmp
memory/1092-381-0x000000013FA50000-0x000000013FB7F000-memory.dmp
C:\Users\Admin\Desktop\readme.pdf
| MD5 | e7a1ded35fa8603ad2d8ea413ed70822 |
| SHA1 | 8e51bc110584663dc297af70b76173b9a05bb39e |
| SHA256 | c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28 |
| SHA512 | e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-31 17:30
Reported
2023-03-31 17:34
Platform
win10v2004-20230221-en
Max time kernel
169s
Max time network
205s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExportRepair.png => C:\Users\Admin\Pictures\ExportRepair.png.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugClose.tif => C:\Users\Admin\Pictures\DebugClose.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1636 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | C:\Windows\system32\cmd.exe |
| PID 1636 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.4:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 133.17.126.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.233.140.95.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/1636-133-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-134-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-135-0x00007FF792200000-0x00007FF79232F000-memory.dmp
C:\Users\Admin\Favorites\readme.pdf
| MD5 | e7a1ded35fa8603ad2d8ea413ed70822 |
| SHA1 | 8e51bc110584663dc297af70b76173b9a05bb39e |
| SHA256 | c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28 |
| SHA512 | e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4 |
memory/1636-207-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-247-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-310-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-367-0x00007FF792200000-0x00007FF79232F000-memory.dmp
memory/1636-392-0x00007FF792200000-0x00007FF79232F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-03-31 17:30
Reported
2023-03-31 17:33
Platform
win7-20230220-en
Max time kernel
44s
Max time network
33s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\BlockImport.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveRepair.png => C:\Users\Admin\Pictures\MoveRepair.png.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipDisable.tiff => C:\Users\Admin\Pictures\SkipDisable.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchMount.tif => C:\Users\Admin\Pictures\SearchMount.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockSearch.tif => C:\Users\Admin\Pictures\BlockSearch.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConfirmSend.raw => C:\Users\Admin\Pictures\ConfirmSend.raw.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SkipDisable.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConnectSave.crw => C:\Users\Admin\Pictures\ConnectSave.crw.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Reads user/profile data of web browsers
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | C:\Windows\system32\cmd.exe |
| PID 1744 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | C:\Windows\system32\cmd.exe |
| PID 1744 wrote to memory of 1532 | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
Files
memory/1744-54-0x000000013F880000-0x000000013F97C000-memory.dmp
C:\Users\Public\Libraries\readme.pdf
| MD5 | ea36e01b49cf28d5983a9a0248832906 |
| SHA1 | a9aa07e277a1ad65b0b57f7336f391bc81a7cc84 |
| SHA256 | 086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e |
| SHA512 | 33050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1 |
memory/1744-382-0x000000013F880000-0x000000013F97C000-memory.dmp
memory/1744-386-0x000000013F880000-0x000000013F97C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-03-31 17:30
Reported
2023-03-31 17:33
Platform
win10v2004-20230220-en
Max time kernel
61s
Max time network
154s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UnlockNew.tif => C:\Users\Admin\Pictures\UnlockNew.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DisconnectBackup.tif => C:\Users\Admin\Pictures\DisconnectBackup.tif.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingTest.tiff => C:\Users\Admin\Pictures\PingTest.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopConvert.crw => C:\Users\Admin\Pictures\StopConvert.crw.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveOptimize.tiff => C:\Users\Admin\Pictures\SaveOptimize.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnpublishConfirm.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\OptimizePop.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OptimizePop.tiff => C:\Users\Admin\Pictures\OptimizePop.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\PingTest.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SaveOptimize.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnpublishConfirm.tiff => C:\Users\Admin\Pictures\UnpublishConfirm.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CopyUpdate.tiff | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CopyUpdate.tiff => C:\Users\Admin\Pictures\CopyUpdate.tiff.dark_power | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Reads user/profile data of web browsers
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4228 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | C:\Windows\system32\cmd.exe |
| PID 4228 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.36:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 20.189.173.1:443 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| NL | 8.238.177.126:80 | tcp |
Files
memory/4228-133-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp
C:\Users\Admin\Favorites\readme.pdf
| MD5 | ea36e01b49cf28d5983a9a0248832906 |
| SHA1 | a9aa07e277a1ad65b0b57f7336f391bc81a7cc84 |
| SHA256 | 086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e |
| SHA512 | 33050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1 |
memory/4228-400-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp
memory/4228-441-0x00007FF7EA350000-0x00007FF7EA44C000-memory.dmp