Malware Analysis Report

2025-03-15 06:31

Sample ID 240204-nl6draaeaq
Target PO-87365748668569.gz
SHA256 79b8fda368f4c16579240c00a455d70436f649bc92becdfa713a8c23ce591935
Tags
warzonerat infostealer rat collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79b8fda368f4c16579240c00a455d70436f649bc92becdfa713a8c23ce591935

Threat Level: Known bad

The file PO-87365748668569.gz was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat collection

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Runs ping.exe

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 11:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 11:30

Reported

2024-02-04 11:32

Platform

win7-20231129-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3036 set thread context of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3036 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1864 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe

"C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 200

Network

N/A

Files

memory/3036-0-0x0000000001300000-0x00000000013F0000-memory.dmp

memory/3036-1-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/3036-2-0x00000000072A0000-0x00000000072E0000-memory.dmp

memory/3036-3-0x0000000000640000-0x000000000065C000-memory.dmp

memory/3036-4-0x0000000000610000-0x000000000061E000-memory.dmp

memory/3036-5-0x0000000000660000-0x0000000000674000-memory.dmp

memory/3036-6-0x0000000007220000-0x000000000728E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1E3TK1EXAKC3G33NU8OG.temp

MD5 f4c8331523db72b386caa2b90527d39e
SHA1 d2f66a884bb14630a20c5edb45a2d9068f627cd4
SHA256 f833c566bfee01e89869872b7a54eb783c9d3d90683fa61af53a22cb83f3c161
SHA512 612d732fb8981359b8a7d12109f01931bd36b2749c569b4b1ea9551afbaf090f7599b6c79ffa79e4356c86268c56ac413512d6864a6ce310010c96da97f1a6e7

C:\Users\Admin\AppData\Local\Temp\tmp5013.tmp

MD5 0e0a656c4de0d700c6664d4c7706824c
SHA1 a37a6207cb5a3d6d0c3dadd19d71306b55d25256
SHA256 fc4c71c6e01d439d431d9af619bad882952ba2d317e5bc7edfa7a9e6bd2ff3a3
SHA512 95ff4422452a7c53b1311685434ccdc84e44bf714853d88913339e0f4f14e6f62d7ed31c0e0a198706ffa56f22e39c0009583be92b36e8b09abab6e1e8aad856

memory/800-19-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/1864-20-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2616-23-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/1864-24-0x0000000000400000-0x000000000055E000-memory.dmp

memory/800-25-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/3036-27-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/800-29-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/2616-31-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/2616-35-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/1864-36-0x0000000000400000-0x000000000055E000-memory.dmp

memory/800-37-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/3036-39-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/2616-38-0x0000000002C00000-0x0000000002C40000-memory.dmp

memory/2616-42-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/1864-41-0x0000000000400000-0x000000000055E000-memory.dmp

memory/800-33-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/1864-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/800-44-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/2616-43-0x000000006EAB0000-0x000000006F05B000-memory.dmp

memory/1864-30-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1864-28-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1864-26-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1864-22-0x0000000000400000-0x000000000055E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 11:30

Reported

2024-02-04 11:32

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4260 set thread context of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 4260 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 4260 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\SysWOW64\schtasks.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4260 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3876 wrote to memory of 5028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 5028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 5028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5028 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5028 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe

"C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO-87365748668569.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.2.3.4 -n 2 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 45.137.22.105:4821 tcp
US 8.8.8.8:53 105.22.137.45.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4260-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/4260-0-0x0000000000FE0000-0x00000000010D0000-memory.dmp

memory/4260-2-0x00000000083A0000-0x0000000008944000-memory.dmp

memory/4260-3-0x0000000007E90000-0x0000000007F22000-memory.dmp

memory/4260-4-0x00000000080F0000-0x0000000008100000-memory.dmp

memory/4260-5-0x0000000007E20000-0x0000000007E2A000-memory.dmp

memory/4260-6-0x0000000008100000-0x000000000819C000-memory.dmp

memory/4260-7-0x0000000003380000-0x000000000339C000-memory.dmp

memory/4260-8-0x00000000033E0000-0x00000000033EE000-memory.dmp

memory/4260-9-0x00000000033F0000-0x0000000003404000-memory.dmp

memory/4260-10-0x00000000082F0000-0x000000000835E000-memory.dmp

memory/3192-15-0x0000000002990000-0x00000000029C6000-memory.dmp

memory/3192-17-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3192-18-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/3192-16-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/4260-19-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3192-20-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/460-21-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/460-23-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/3192-24-0x0000000005BF0000-0x0000000005C56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp

MD5 1bd9df12349f5049136cb307c6d7613a
SHA1 b33012f1abefbbebb078642a2af7409219d9548a
SHA256 92503b5619aad1e4b763ed5d74170a2f3795ba9f16cfd2d08c720449da3c25b3
SHA512 29df2da44ffd16a344e0ecb9df1089495a1f30b0c5b176c77407a1e8bf178218c67cfec75f2589ff73bdc8eefd0d301affc27ba1f279062781b5588d74c925a1

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ho14bwy1.rlk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/460-25-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3192-33-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/4260-26-0x00000000080F0000-0x0000000008100000-memory.dmp

memory/3192-22-0x0000000005A60000-0x0000000005A82000-memory.dmp

memory/460-47-0x0000000005A60000-0x0000000005DB4000-memory.dmp

memory/3876-48-0x0000000000400000-0x000000000055E000-memory.dmp

memory/4260-52-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3876-53-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3876-51-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3192-54-0x00000000062B0000-0x00000000062CE000-memory.dmp

memory/3192-55-0x0000000006300000-0x000000000634C000-memory.dmp

memory/460-59-0x00000000713A0000-0x00000000713EC000-memory.dmp

memory/3192-81-0x0000000007480000-0x0000000007523000-memory.dmp

memory/3192-83-0x00000000029E0000-0x00000000029F0000-memory.dmp

memory/460-82-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/460-84-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/3192-85-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/460-86-0x0000000007300000-0x000000000730A000-memory.dmp

memory/460-71-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/460-70-0x0000000006F20000-0x0000000006F3E000-memory.dmp

memory/3192-69-0x00000000713A0000-0x00000000713EC000-memory.dmp

memory/460-87-0x0000000007510000-0x00000000075A6000-memory.dmp

memory/460-88-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/3192-58-0x0000000006880000-0x00000000068B2000-memory.dmp

memory/3192-57-0x000000007F030000-0x000000007F040000-memory.dmp

memory/460-56-0x000000007FA10000-0x000000007FA20000-memory.dmp

memory/3192-89-0x0000000007810000-0x000000000781E000-memory.dmp

memory/3192-90-0x0000000007820000-0x0000000007834000-memory.dmp

memory/3192-91-0x0000000007920000-0x000000000793A000-memory.dmp

memory/3192-92-0x0000000007900000-0x0000000007908000-memory.dmp

memory/3192-99-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/460-98-0x0000000074BB0000-0x0000000075360000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 496dc259d0d34d8575e605f87aea2041
SHA1 bf2b1b07b7baa90910aa8b87ae017a1d261888a5
SHA256 9e166b981df15034bc8e58f6a5328cbda6c1284c1e47ad85676e624fb1a6857c
SHA512 8c2923d1fa1b1a0f59b591cda13d6d987ed30946ec9aa8a2bb8bccdc58ce0de47da1ae93f3be96c80e8cca44527a8576e18bafe3c80b79aa362517135b0e90ef

memory/3876-100-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3876-109-0x0000000003E70000-0x0000000003EF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 ef12ab9d0b231b8f898067b2114b1bc0
SHA1 6d90f27b2105945f9bb77039e8b892070a5f9442
SHA256 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA512 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 1ea0bd68494c93760ba7887ddc8fa6a8
SHA1 92eb74ca0b8ff75380fcf528b1a1d95228a65e1e
SHA256 50fe4ae53fb2199f67779032ad8eb440fa025d3b8017c60489ce16e08bfa9e17
SHA512 52751962b5b6e6b43423bf34b5f7faf55b6aafc16956181488b32a61b4fe184c0e32069e6bbec42c050184717a2c014e7d2faeea7dcb7d67ba5c99ac71cf4e8d

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

memory/3876-128-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3876-129-0x0000000003E70000-0x0000000003EF4000-memory.dmp

memory/3876-130-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3876-139-0x0000000000F70000-0x0000000000FF4000-memory.dmp

memory/3876-140-0x0000000000400000-0x000000000055E000-memory.dmp