Malware Analysis Report

2025-08-05 15:35

Sample ID 241031-yzdk1atckq
Target file.exe
SHA256 88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0
Tags
evasion execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution trojan

Windows security bypass

UAC bypass

Looks for VirtualBox Guest Additions in registry

Command and Scripting Interpreter: PowerShell

Looks for VMWare Tools registry key

Checks computer location settings

Windows security modification

Drops startup file

Checks BIOS information in registry

Checks whether UAC is enabled

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 20:13

Reported

2024-10-31 20:15

Platform

win7-20241010-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1304 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1304 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2276 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\system32\WerFault.exe
PID 2276 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\system32\WerFault.exe
PID 2276 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\system32\WerFault.exe
PID 1304 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WerFault.exe
PID 1304 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WerFault.exe
PID 1304 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\WerFault.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2276 -s 20

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1304 -s 800

Network

N/A

Files

memory/1304-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

memory/1304-1-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/1304-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/1304-3-0x000000001B710000-0x000000001BA82000-memory.dmp

memory/2276-17-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-24-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-30-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-32-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-28-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

memory/2276-22-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-20-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-19-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-15-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-13-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-12-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-10-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-9-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-7-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-6-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/3020-37-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/3020-38-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/2276-4-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-26-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-11-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2276-5-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/1304-39-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 20:13

Reported

2024-10-31 20:15

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1232 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 1232 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Windows Media Player\wmplayer.exe
PID 2648 wrote to memory of 5012 N/A C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5012 N/A C:\Program Files\Windows Media Player\wmplayer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force

C:\Program Files\Windows Media Player\wmplayer.exe

"C:\Program Files\Windows Media Player\wmplayer.exe"

C:\Program Files\Windows Media Player\wmplayer.exe

"C:\Program Files\Windows Media Player\wmplayer.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Program Files\Windows Media Player\wmplayer.exe'; $s.Save()"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CH 185.196.10.218:9889 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CH 185.196.10.218:9889 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
CH 185.196.10.218:9889 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CH 185.196.10.218:9889 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
CH 185.196.10.218:9889 tcp

Files

memory/1232-1-0x000001A607370000-0x000001A607378000-memory.dmp

memory/1232-0-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp

memory/1232-2-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

memory/1232-3-0x000001A621880000-0x000001A621BF2000-memory.dmp

memory/2648-7-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2648-8-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2648-10-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2648-6-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2648-4-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/2648-9-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/5012-11-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3uih0cuu.ed1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5012-19-0x000002B9CD7C0000-0x000002B9CD7E2000-memory.dmp

memory/5012-12-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

memory/5012-32-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 440cb38dbee06645cc8b74d51f6e5f71
SHA1 d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA256 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA512 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 08f9f3eb63ff567d1ee2a25e9bbf18f0
SHA1 6bf06056d1bb14c183490caf950e29ac9d73643a
SHA256 82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512 425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

memory/5012-39-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

memory/2648-40-0x0000000000400000-0x00000000007AA000-memory.dmp

memory/1232-41-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

memory/2648-42-0x0000000000400000-0x00000000007AA000-memory.dmp