Malware Analysis Report

2024-10-23 19:44

Sample ID 240425-jzeezaha4x
Target PROOF OF PAYMENT.scr.exe
SHA256 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85

Threat Level: Known bad

The file PROOF OF PAYMENT.scr.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 08:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 08:06

Reported

2024-04-25 08:08

Platform

win7-20240221-en

Max time kernel

119s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 2972 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp"

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp

Files

memory/2972-0-0x0000000000DC0000-0x0000000000E6C000-memory.dmp

memory/2972-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2972-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp

memory/2972-3-0x0000000000620000-0x0000000000640000-memory.dmp

memory/2972-4-0x0000000000640000-0x0000000000654000-memory.dmp

memory/2972-5-0x00000000059F0000-0x0000000005A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp

MD5 c456add6ad59576f2037e540cfaa97ea
SHA1 03bcba4d5ba09effe878d8017855912a93335774
SHA256 113aed93c3b60ae1342b5a4f8dcb509767e1edfb72f695c25dbaf874a2a67a91
SHA512 d846ebbd3b4b4ef92bff425f62d949aeabd6dd7aaa8740f7cd42b2cd1fe8a8de79297e651ecd95cbc0de0e43fe11bcd91205a99ca37394c1793deb94cb4e1d9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H97CD0VR7R5OFFP3ZBJ1.temp

MD5 ba257e0457ef70df3d33fd32ec83b772
SHA1 c4d49520897241dfebe30d5e4727fe9ef8ebbaa8
SHA256 f64ccd63e69a78a628b8457eb1c405e1f237b0fa3552ca5340360dc35dfd13bb
SHA512 10a6d73a953665f2cc5f8bb4ba9be293e57446590c03afd2b4ed4fc337e1d6d5da97d1cd7801b951d280a9c2fb740c0cadaafd091f0f7fb13349940e6a8071e8

memory/2456-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2456-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2456-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2972-30-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2704-31-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/2624-32-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/2624-33-0x0000000002CE0000-0x0000000002D20000-memory.dmp

memory/2704-34-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/2624-35-0x0000000002CE0000-0x0000000002D20000-memory.dmp

memory/2624-36-0x0000000002CE0000-0x0000000002D20000-memory.dmp

memory/2704-37-0x00000000029D0000-0x0000000002A10000-memory.dmp

memory/2456-38-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2456-41-0x0000000000450000-0x000000000045A000-memory.dmp

memory/2456-42-0x0000000000540000-0x000000000055E000-memory.dmp

memory/2456-43-0x0000000000560000-0x000000000056A000-memory.dmp

memory/2624-45-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/2704-44-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/2456-48-0x0000000000700000-0x0000000000712000-memory.dmp

memory/2456-49-0x0000000000D10000-0x0000000000D2A000-memory.dmp

memory/2456-50-0x00000000009B0000-0x00000000009BE000-memory.dmp

memory/2456-51-0x0000000000D30000-0x0000000000D42000-memory.dmp

memory/2456-52-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/2456-53-0x0000000000D90000-0x0000000000D9E000-memory.dmp

memory/2456-54-0x0000000000DA0000-0x0000000000DB4000-memory.dmp

memory/2456-55-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/2456-56-0x0000000002270000-0x0000000002284000-memory.dmp

memory/2456-57-0x0000000002280000-0x000000000228E000-memory.dmp

memory/2456-58-0x0000000004E60000-0x0000000004E8E000-memory.dmp

memory/2456-59-0x00000000022E0000-0x00000000022F4000-memory.dmp

memory/2456-65-0x0000000074C10000-0x00000000752FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 08:06

Reported

2024-04-25 08:08

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 500 set thread context of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 500 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 500 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 6016 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Windows\SysWOW64\schtasks.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe
PID 500 wrote to memory of 5532 N/A C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp554F.tmp"

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe

"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 113.169.95.45.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/500-0-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/500-1-0x0000000000C40000-0x0000000000CEC000-memory.dmp

memory/500-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

memory/500-3-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/500-4-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/500-5-0x00000000056A0000-0x00000000056AA000-memory.dmp

memory/500-6-0x00000000059C0000-0x00000000059E0000-memory.dmp

memory/500-7-0x0000000005C00000-0x0000000005C14000-memory.dmp

memory/500-8-0x0000000009890000-0x000000000990A000-memory.dmp

memory/500-9-0x000000000C9C0000-0x000000000CA5C000-memory.dmp

memory/500-13-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3080-14-0x0000000004760000-0x0000000004796000-memory.dmp

memory/3080-16-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3080-17-0x0000000004750000-0x0000000004760000-memory.dmp

memory/3080-19-0x0000000004750000-0x0000000004760000-memory.dmp

memory/500-18-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/5888-21-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5888-22-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/5888-20-0x0000000005870000-0x0000000005E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp554F.tmp

MD5 61b141850a0a8c43f00765dca2893029
SHA1 8495a66c52945493c52a0f433cd439cdcc5922a1
SHA256 41e3f677483dc3bb7b2053ba51ba40a08f2ccc1b750a72aa0b53479b3e0553c8
SHA512 5585899182b663b5847cc66d1a78bcdd53a87767df65738eaa95b57a86e9dd701078e396e438d2c99dc5c8b2e87cd82e63de2f92c608c5d9654405e52a8194a2

memory/5888-25-0x0000000005FA0000-0x0000000006006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehlim0sk.ns0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5532-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5532-47-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3080-48-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/500-49-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5532-50-0x0000000005180000-0x0000000005190000-memory.dmp

memory/3080-27-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/5888-24-0x0000000005ED0000-0x0000000005EF2000-memory.dmp

memory/5888-53-0x0000000006670000-0x000000000668E000-memory.dmp

memory/5532-54-0x00000000052E0000-0x00000000052EA000-memory.dmp

memory/3080-56-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

memory/5532-57-0x0000000005F60000-0x0000000005F6A000-memory.dmp

memory/5532-55-0x0000000005F20000-0x0000000005F3E000-memory.dmp

memory/3080-58-0x0000000004750000-0x0000000004760000-memory.dmp

memory/5888-59-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

memory/3080-62-0x0000000006C90000-0x0000000006CC2000-memory.dmp

memory/3080-66-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/5888-74-0x00000000075E0000-0x00000000075FE000-memory.dmp

memory/3080-84-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/5888-63-0x00000000713B0000-0x00000000713FC000-memory.dmp

memory/3080-61-0x000000007F340000-0x000000007F350000-memory.dmp

memory/5888-60-0x000000007FC40000-0x000000007FC50000-memory.dmp

memory/3080-86-0x0000000007020000-0x000000000703A000-memory.dmp

memory/3080-85-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/5888-88-0x00000000079F0000-0x00000000079FA000-memory.dmp

memory/3080-89-0x00000000072A0000-0x0000000007336000-memory.dmp

memory/5888-90-0x0000000007B80000-0x0000000007B91000-memory.dmp

memory/5888-91-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

memory/5888-92-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

memory/3080-93-0x0000000007360000-0x000000000737A000-memory.dmp

memory/3080-94-0x0000000007340000-0x0000000007348000-memory.dmp

memory/3080-95-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5888-99-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3080-100-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5532-101-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/5532-104-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/5532-111-0x0000000006870000-0x0000000006884000-memory.dmp

memory/5532-113-0x00000000068A0000-0x00000000068CE000-memory.dmp

memory/5532-112-0x0000000006890000-0x000000000689E000-memory.dmp

memory/5532-110-0x0000000006850000-0x0000000006860000-memory.dmp

memory/5532-109-0x0000000006840000-0x0000000006854000-memory.dmp

memory/5532-108-0x0000000006830000-0x000000000683E000-memory.dmp

memory/5532-107-0x0000000006820000-0x000000000682C000-memory.dmp

memory/5532-106-0x0000000006810000-0x0000000006822000-memory.dmp

memory/5532-105-0x0000000006800000-0x000000000680E000-memory.dmp

memory/5532-103-0x00000000067C0000-0x00000000067D2000-memory.dmp