Analysis Overview
SHA256
a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0
Threat Level: Shows suspicious behavior
The file a91b6fed7eb263b7a1c6e619b0c5cd107ceca1612e6ec59c80ae51706ad9dbf0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
One or more HTTP URLs in qr code identified
Reads runtime system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-10 11:13
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
One or more HTTP URLs in qr code identified
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
90s
Max time network
155s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01fn4kgo.3yy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2800-0-0x000001E91F0A0000-0x000001E91F0C2000-memory.dmp
memory/2800-10-0x00007FFA6F4B0000-0x00007FFA6FF71000-memory.dmp
memory/2800-11-0x000001E91CF80000-0x000001E91CF90000-memory.dmp
memory/2800-12-0x000001E91CF80000-0x000001E91CF90000-memory.dmp
memory/2800-15-0x00007FFA6F4B0000-0x00007FFA6FF71000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:17
Platform
win7-20240221-en
Max time kernel
120s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20231215-en
Max time kernel
89s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1
Network
Files
memory/2152-8-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2152-9-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2152-7-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/2152-6-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2152-10-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
memory/2152-11-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2152-4-0x000000001B250000-0x000000001B532000-memory.dmp
memory/2152-5-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
memory/2152-12-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2152-13-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
104s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frhqxxv4.f4s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2116-5-0x0000029B50CF0000-0x0000029B50D12000-memory.dmp
memory/2116-10-0x00007FFD246A0000-0x00007FFD25161000-memory.dmp
memory/2116-11-0x0000029B69260000-0x0000029B69270000-memory.dmp
memory/2116-12-0x0000029B69260000-0x0000029B69270000-memory.dmp
memory/2116-15-0x00007FFD246A0000-0x00007FFD25161000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1
Network
Files
memory/1992-4-0x000000001B290000-0x000000001B572000-memory.dmp
memory/1992-6-0x0000000001E30000-0x0000000001E38000-memory.dmp
memory/1992-7-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1992-5-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp
memory/1992-8-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp
memory/1992-9-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1992-10-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1992-11-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1992-12-0x0000000002950000-0x00000000029D0000-memory.dmp
memory/1992-13-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240215-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1
Network
Files
memory/2204-5-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2204-4-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2204-7-0x00000000027F0000-0x00000000027F8000-memory.dmp
memory/2204-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
memory/2204-9-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2204-6-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2204-10-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2204-11-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2204-12-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2204-13-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240319-en
Max time kernel
151s
Max time network
162s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IE | 94.245.104.56:443 | tcp | |
| GB | 172.166.92.12:443 | tcp | |
| GB | 51.140.242.104:443 | tcp | |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qx2tstrl.s12.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/776-5-0x00000280750E0000-0x0000028075102000-memory.dmp
memory/776-10-0x00007FF892A60000-0x00007FF893521000-memory.dmp
memory/776-11-0x00000280751D0000-0x00000280751E0000-memory.dmp
memory/776-12-0x00000280751D0000-0x00000280751E0000-memory.dmp
memory/776-15-0x00007FF892A60000-0x00007FF893521000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib2.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_tempvideo.ps1
Network
Files
memory/2124-4-0x000000001B7C0000-0x000000001BAA2000-memory.dmp
memory/2124-5-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/2124-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2124-7-0x0000000002BB0000-0x0000000002C30000-memory.dmp
memory/2124-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2124-9-0x0000000002BB0000-0x0000000002C30000-memory.dmp
memory/2124-11-0x0000000002BB0000-0x0000000002C30000-memory.dmp
memory/2124-10-0x0000000002BB0000-0x0000000002C30000-memory.dmp
memory/2124-12-0x0000000002BB0000-0x0000000002C30000-memory.dmp
memory/2124-13-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
175s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:17
Platform
win10v2004-20240226-en
Max time kernel
94s
Max time network
207s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
memory/1572-2-0x00000207DEAD0000-0x00000207DEAF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhmymy0w.22d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1572-10-0x00007FFE7D4F0000-0x00007FFE7DFB1000-memory.dmp
memory/1572-11-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp
memory/1572-12-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp
memory/1572-13-0x00000207DC9E0000-0x00000207DC9F0000-memory.dmp
memory/1572-16-0x00007FFE7D4F0000-0x00007FFE7DFB1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_jqtype.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3040-0-0x00000216B62F0000-0x00000216B6312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stpuzkjz.xlx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3040-10-0x00007FF9CD030000-0x00007FF9CDAF1000-memory.dmp
memory/3040-11-0x000002169D3E0000-0x000002169D3F0000-memory.dmp
memory/3040-12-0x000002169D3E0000-0x000002169D3F0000-memory.dmp
memory/3040-13-0x000002169D3E0000-0x000002169D3F0000-memory.dmp
memory/3040-16-0x00007FF9CD030000-0x00007FF9CDAF1000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect_news.js
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_playerdown.ps1
Network
Files
memory/2076-4-0x000000001B480000-0x000000001B762000-memory.dmp
memory/2076-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/2076-7-0x0000000001F00000-0x0000000001F80000-memory.dmp
memory/2076-5-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
memory/2076-8-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
memory/2076-10-0x0000000001F00000-0x0000000001F80000-memory.dmp
memory/2076-9-0x0000000001F00000-0x0000000001F80000-memory.dmp
memory/2076-11-0x0000000001F00000-0x0000000001F80000-memory.dmp
memory/2076-12-0x0000000001F00000-0x0000000001F80000-memory.dmp
memory/2076-13-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
164s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
memory/4368-9-0x000002C219C50000-0x000002C219C72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s0e1ygc.ifd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4368-10-0x00007FFB33B90000-0x00007FFB34651000-memory.dmp
memory/4368-11-0x000002C232320000-0x000002C232330000-memory.dmp
memory/4368-12-0x000002C232320000-0x000002C232330000-memory.dmp
memory/4368-15-0x000002C232320000-0x000002C232330000-memory.dmp
memory/4368-16-0x00007FFB33B90000-0x00007FFB34651000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
1s
Max time network
133s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/var/tmp/proc/mysql | N/A |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/var/tmp/proc/mysql | N/A |
| File opened for reading | /proc/stat | /tmp/var/tmp/proc/mysql | N/A |
Processes
/tmp/var/tmp/proc/mysql
[/tmp/var/tmp/proc/mysql]
/usr/bin/getconf
[/usr/bin/getconf CLK_TCK]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.194.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.2.49:443 | cdn.fwupd.org | tcp |
| US | 151.101.129.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 195.181.164.19:443 | 1527653184.rsc.cdn77.org | tcp |
Files
memory/1565-1-0x0000000000400000-0x0000000000e6e0d8-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_filecheck.ps1
Network
Files
memory/2680-4-0x000000001B440000-0x000000001B722000-memory.dmp
memory/2680-6-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp
memory/2680-5-0x0000000002560000-0x0000000002568000-memory.dmp
memory/2680-7-0x0000000002AF0000-0x0000000002B70000-memory.dmp
memory/2680-8-0x0000000002AF0000-0x0000000002B70000-memory.dmp
memory/2680-9-0x0000000002AF0000-0x0000000002B70000-memory.dmp
memory/2680-10-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp
memory/2680-11-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp
memory/2680-12-0x0000000002AF0000-0x0000000002B70000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_auto.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240319-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_datarelate.js
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240220-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_link.ps1
Network
Files
memory/2132-4-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2132-6-0x0000000002860000-0x0000000002868000-memory.dmp
memory/2132-5-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2132-7-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/2132-9-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/2132-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
memory/2132-10-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/2132-11-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/2132-12-0x0000000002B00000-0x0000000002B80000-memory.dmp
memory/2132-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
0s
Max time network
5s
Command Line
Signatures
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members.ps1
Network
Files
memory/2984-5-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/2984-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/2984-7-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2984-6-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/2984-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/2984-11-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2984-10-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2984-9-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2984-12-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2984-13-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
178s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_members_group.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.242.123.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2urymvz.1ww.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4932-9-0x0000020B24F30000-0x0000020B24F52000-memory.dmp
memory/4932-10-0x00007FF9D4850000-0x00007FF9D5311000-memory.dmp
memory/4932-11-0x0000020B24F00000-0x0000020B24F10000-memory.dmp
memory/4932-14-0x0000020B24F00000-0x0000020B24F10000-memory.dmp
memory/4932-15-0x00007FF9D4850000-0x00007FF9D5311000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_pseudo.ps1
Network
Files
memory/1952-4-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/1952-5-0x0000000002390000-0x0000000002398000-memory.dmp
memory/1952-6-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
memory/1952-7-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1952-9-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1952-8-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1952-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
memory/1952-11-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1952-12-0x0000000002B10000-0x0000000002B90000-memory.dmp
memory/1952-13-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
167s
Max time network
183s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_reslib.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3752 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240221-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_ads.ps1
Network
Files
memory/2080-4-0x000000001B380000-0x000000001B662000-memory.dmp
memory/2080-5-0x0000000002490000-0x0000000002498000-memory.dmp
memory/2080-6-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/2080-7-0x00000000023F0000-0x0000000002470000-memory.dmp
memory/2080-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
memory/2080-9-0x00000000023F0000-0x0000000002470000-memory.dmp
memory/2080-10-0x00000000023F0000-0x0000000002470000-memory.dmp
memory/2080-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win7-20240220-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:16
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_collect.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-10 11:13
Reported
2024-04-10 11:17
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
183s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\var\www\html\admin\admin_config.ps1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0r4gy4u.403.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2612-6-0x00000234BBCF0000-0x00000234BBD12000-memory.dmp
memory/2612-10-0x00007FFE20BA0000-0x00007FFE21661000-memory.dmp
memory/2612-11-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp
memory/2612-12-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp
memory/2612-13-0x00000234BBAE0000-0x00000234BBAF0000-memory.dmp
memory/2612-16-0x00007FFE20BA0000-0x00007FFE21661000-memory.dmp