Malware Analysis Report

2024-10-23 19:45

Sample ID 240425-lpn8jahe41
Target POP.exe
SHA256 3796fdf35ca6c4557746dc1de61e477fe9972bc44a2fb23503e302c27fab4335
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3796fdf35ca6c4557746dc1de61e477fe9972bc44a2fb23503e302c27fab4335

Threat Level: Known bad

The file POP.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 09:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 09:42

Reported

2024-04-25 09:45

Platform

win7-20240220-en

Max time kernel

118s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Users\Admin\AppData\Local\Temp\POP.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\POP.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2080 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 2080 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WerFault.exe
PID 2080 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WerFault.exe
PID 2080 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WerFault.exe
PID 2080 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\POP.exe

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CXAoYUE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CXAoYUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50FD.tmp"

C:\Users\Admin\AppData\Local\Temp\POP.exe

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Users\Admin\AppData\Local\Temp\POP.exe

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 916

Network

Country Destination Domain Proto
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:4190 amechi.duckdns.org tcp

Files

memory/2080-0-0x0000000000B40000-0x0000000000BEC000-memory.dmp

memory/2080-1-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/2080-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2080-3-0x00000000005C0000-0x00000000005E0000-memory.dmp

memory/2080-4-0x0000000000800000-0x0000000000814000-memory.dmp

memory/2080-5-0x0000000004FC0000-0x000000000503A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50FD.tmp

MD5 d12b1f1584ceaa70a5086466527516b2
SHA1 62b82de14630cc5b1689f44e142212c7185ffb11
SHA256 e1dd88b95707e0a96e67ebdee121ef437c37bba2682e339cffd0de3baddc1491
SHA512 a29c525572e02ea966695dee80d96b91874b773bcaa60a9226ed0164b906f16149c8311f19ec22d70621a03ba30130b19c4ef142c3b8e035343cc8078cda6bd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 945480969aabfd5294c6ee025d52eb1f
SHA1 72cf6d77d513a21805fff6ffdcc5330236e35404
SHA256 c688b8563b4700691fc48cd2f35cf30e2fe8e1dc39c0169c97a4b317fd3dc830
SHA512 a7aa9130da5b085bfbe1c299e25370e71f653cccacdcc080da78c60deb413d4c233d1559651d64fcb5f07f51d64d0d2c4e519957878cfd705cd6648b6b733a5f

memory/2412-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2412-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2412-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2564-29-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2568-30-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2564-31-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2568-32-0x00000000026C0000-0x0000000002700000-memory.dmp

memory/2564-33-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2568-35-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2412-37-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/2564-38-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2412-39-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2412-40-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/2564-41-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2412-42-0x00000000004C0000-0x00000000004DE000-memory.dmp

memory/2412-43-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/2564-45-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2568-44-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2080-47-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/2080-48-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2412-49-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/2412-50-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/2412-52-0x00000000007B0000-0x00000000007C2000-memory.dmp

memory/2412-53-0x0000000000A90000-0x0000000000AAA000-memory.dmp

memory/2412-54-0x00000000009B0000-0x00000000009BE000-memory.dmp

memory/2412-55-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

memory/2412-56-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

memory/2412-57-0x0000000000B10000-0x0000000000B1E000-memory.dmp

memory/2412-58-0x0000000000B20000-0x0000000000B34000-memory.dmp

memory/2412-59-0x0000000000B30000-0x0000000000B40000-memory.dmp

memory/2412-60-0x0000000002140000-0x0000000002154000-memory.dmp

memory/2412-61-0x0000000002150000-0x000000000215E000-memory.dmp

memory/2412-62-0x0000000002200000-0x000000000222E000-memory.dmp

memory/2412-63-0x00000000021B0000-0x00000000021C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 09:42

Reported

2024-04-25 09:45

Platform

win10v2004-20240412-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4960 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\POP.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\POP.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\POP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 4960 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 4960 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Windows\SysWOW64\schtasks.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe
PID 4960 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\POP.exe C:\Users\Admin\AppData\Local\Temp\POP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\POP.exe

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CXAoYUE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CXAoYUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp"

C:\Users\Admin\AppData\Local\Temp\POP.exe

"C:\Users\Admin\AppData\Local\Temp\POP.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1752

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:4190 amechi.duckdns.org tcp
US 8.8.8.8:53 113.169.95.45.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4960-0-0x0000000000E10000-0x0000000000EBC000-memory.dmp

memory/4960-1-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4960-2-0x0000000005E80000-0x0000000006424000-memory.dmp

memory/4960-3-0x00000000058D0000-0x0000000005962000-memory.dmp

memory/4960-4-0x0000000005870000-0x0000000005880000-memory.dmp

memory/4960-5-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/4960-6-0x0000000006BA0000-0x0000000006BC0000-memory.dmp

memory/4960-7-0x0000000006BD0000-0x0000000006BE4000-memory.dmp

memory/4960-8-0x0000000007160000-0x00000000071DA000-memory.dmp

memory/4960-9-0x000000000DAB0000-0x000000000DB4C000-memory.dmp

memory/3244-14-0x0000000002E00000-0x0000000002E36000-memory.dmp

memory/3244-16-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/3244-15-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/3244-17-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/3244-19-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/5088-18-0x0000000004790000-0x00000000047A0000-memory.dmp

memory/3244-21-0x0000000005960000-0x0000000005982000-memory.dmp

memory/5088-22-0x0000000004790000-0x00000000047A0000-memory.dmp

memory/5088-20-0x0000000075320000-0x0000000075AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp

MD5 607eb5a492eab726534ac15ef2af035c
SHA1 72b98f29b5e96824013b6f52b7e41af619135f21
SHA256 27967da3144d853cfbd41861ceba99f369cc933cb8ed7deb5ccea80c76e47da1
SHA512 0f42594efe7e9af27785d1fb4c5ae9bbad7631d4488df7d48f852c9eb634ae76c832a969d5d21e45513e88cd430625471066aaed22c03a5f560e8a9f2086b8f4

memory/3244-35-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/3244-24-0x0000000006060000-0x00000000060C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okaqyg3e.pxi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5088-44-0x0000000005810000-0x0000000005B64000-memory.dmp

memory/4376-45-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4960-47-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4376-48-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4960-49-0x0000000005870000-0x0000000005880000-memory.dmp

memory/3244-50-0x0000000006720000-0x000000000673E000-memory.dmp

memory/4376-53-0x0000000005530000-0x000000000553A000-memory.dmp

memory/3244-54-0x0000000006BD0000-0x0000000006C1C000-memory.dmp

memory/4376-55-0x0000000005B10000-0x0000000005B2E000-memory.dmp

memory/4376-56-0x0000000005B30000-0x0000000005B3A000-memory.dmp

memory/4960-57-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/3244-60-0x000000007FC60000-0x000000007FC70000-memory.dmp

memory/5088-59-0x000000006FC00000-0x000000006FC4C000-memory.dmp

memory/3244-58-0x0000000006CF0000-0x0000000006D22000-memory.dmp

memory/3244-71-0x000000006FC00000-0x000000006FC4C000-memory.dmp

memory/5088-70-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/5088-72-0x000000007FB90000-0x000000007FBA0000-memory.dmp

memory/5088-74-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/3244-84-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/5088-85-0x0000000004790000-0x00000000047A0000-memory.dmp

memory/3244-86-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/5088-73-0x0000000004790000-0x00000000047A0000-memory.dmp

memory/3244-88-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/5088-87-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/5088-89-0x00000000070A0000-0x00000000070AA000-memory.dmp

memory/5088-91-0x00000000072B0000-0x0000000007346000-memory.dmp

memory/3244-92-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/3244-93-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/5088-94-0x0000000007270000-0x0000000007284000-memory.dmp

memory/5088-95-0x0000000007370000-0x000000000738A000-memory.dmp

memory/3244-96-0x0000000007D70000-0x0000000007D78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f039addc5f467109344f2e21034e7b
SHA1 106365c7d342508bd241c02e874904b54803d5a7
SHA256 e6231450201faf94e22f4ca77ad8f9e9533e24c60a3fd975ed84a28994aafdf9
SHA512 d47c227dcfc823fb91bef520e065ed083be6365187f53e37c41f89687bbd6afe5c5ee4f12f09d212fc049f31689fba0eba0f0e7ee21ec7fd278f6d8ecca58da0

memory/3244-103-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/5088-102-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4376-104-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/4376-105-0x0000000005540000-0x0000000005550000-memory.dmp

memory/4376-107-0x0000000006B00000-0x0000000006B12000-memory.dmp

memory/4376-108-0x0000000006B10000-0x0000000006B2A000-memory.dmp

memory/4376-109-0x0000000006B40000-0x0000000006B4E000-memory.dmp

memory/4376-110-0x0000000006B50000-0x0000000006B62000-memory.dmp

memory/4376-111-0x0000000006B60000-0x0000000006B6C000-memory.dmp

memory/4376-112-0x0000000006B70000-0x0000000006B7E000-memory.dmp

memory/4376-113-0x0000000006B80000-0x0000000006B94000-memory.dmp

memory/4376-114-0x0000000006B90000-0x0000000006BA0000-memory.dmp

memory/4376-115-0x0000000006BB0000-0x0000000006BC4000-memory.dmp