umbral | hxxps://mega[.]nz/file/YDdDRJKC#a1X2Y2UFNk-3_VFRDfO3bS0uziR5dlo8CpVvVRKKFNA

Analysis

max time kernel
39s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/YDdDRJKC#a1X2Y2UFNk-3_VFRDfO3bS0uziR5dlo8CpVvVRKKFNA

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023261-173.dat	family_umbral
behavioral1/memory/2592-319-0x0000016C42130000-0x0000016C42178000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 2 IoCs

pid	Process
2592	Celestial.exe
3288	Celestial.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 853478.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
732	msedge.exe
732	msedge.exe
3796	msedge.exe
3796	msedge.exe
4484	identity_helper.exe
4484	identity_helper.exe
2292	msedge.exe
2292	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: 33	2308	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2308	AUDIODG.EXE
Token: SeDebugPrivilege	2592	Celestial.exe
Token: SeIncreaseQuotaPrivilege	464	wmic.exe
Token: SeSecurityPrivilege	464	wmic.exe
Token: SeTakeOwnershipPrivilege	464	wmic.exe
Token: SeLoadDriverPrivilege	464	wmic.exe
Token: SeSystemProfilePrivilege	464	wmic.exe
Token: SeSystemtimePrivilege	464	wmic.exe
Token: SeProfSingleProcessPrivilege	464	wmic.exe
Token: SeIncBasePriorityPrivilege	464	wmic.exe
Token: SeCreatePagefilePrivilege	464	wmic.exe
Token: SeBackupPrivilege	464	wmic.exe
Token: SeRestorePrivilege	464	wmic.exe
Token: SeShutdownPrivilege	464	wmic.exe
Token: SeDebugPrivilege	464	wmic.exe
Token: SeSystemEnvironmentPrivilege	464	wmic.exe
Token: SeRemoteShutdownPrivilege	464	wmic.exe
Token: SeUndockPrivilege	464	wmic.exe
Token: SeManageVolumePrivilege	464	wmic.exe
Token: 33	464	wmic.exe
Token: 34	464	wmic.exe
Token: 35	464	wmic.exe
Token: 36	464	wmic.exe
Token: SeIncreaseQuotaPrivilege	464	wmic.exe
Token: SeSecurityPrivilege	464	wmic.exe
Token: SeTakeOwnershipPrivilege	464	wmic.exe
Token: SeLoadDriverPrivilege	464	wmic.exe
Token: SeSystemProfilePrivilege	464	wmic.exe
Token: SeSystemtimePrivilege	464	wmic.exe
Token: SeProfSingleProcessPrivilege	464	wmic.exe
Token: SeIncBasePriorityPrivilege	464	wmic.exe
Token: SeCreatePagefilePrivilege	464	wmic.exe
Token: SeBackupPrivilege	464	wmic.exe
Token: SeRestorePrivilege	464	wmic.exe
Token: SeShutdownPrivilege	464	wmic.exe
Token: SeDebugPrivilege	464	wmic.exe
Token: SeSystemEnvironmentPrivilege	464	wmic.exe
Token: SeRemoteShutdownPrivilege	464	wmic.exe
Token: SeUndockPrivilege	464	wmic.exe
Token: SeManageVolumePrivilege	464	wmic.exe
Token: 33	464	wmic.exe
Token: 34	464	wmic.exe
Token: 35	464	wmic.exe
Token: 36	464	wmic.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 528	3796	msedge.exe	15
PID 3796 wrote to memory of 528	3796	msedge.exe	15
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 4844	3796	msedge.exe	35
PID 3796 wrote to memory of 732	3796	msedge.exe	34
PID 3796 wrote to memory of 732	3796	msedge.exe	34
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38
PID 3796 wrote to memory of 1944	3796	msedge.exe	38

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecde346f8,0x7ffecde34708,0x7ffecde34718
1⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/YDdDRJKC#a1X2Y2UFNk-3_VFRDfO3bS0uziR5dlo8CpVvVRKKFNA
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,873929909373200089,2044813639092727540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Users\Admin\Downloads\Celestial.exe
"C:\Users\Admin\Downloads\Celestial.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:464

C:\Users\Admin\Downloads\Celestial.exe
"C:\Users\Admin\Downloads\Celestial.exe"
1⤵
- Executes dropped EXE
PID:3288
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celestial.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f3a47402ddebec1127b7e50406675297

SHA1
6250d18c4d36c2ffbd8ccc43a0d08a5c85a47f77

SHA256
f13322ff5f0438f792734c7cf99303eeb9467d903ac6f60a119ab1fcbef39796

SHA512
7dcfbdffa1125f5d9c7838129fb2cd7e3bed23edc44bb65fbe2a34aca4379fbe621a10d251b90ad41f8c9d77c64613a38285a21e5e2efb5dbf5e931883d1923e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62dd09cee5045ac7304cd2d571a5a2db

SHA1
0d01d6ce0e639dfcdeced3ba27d8901cb683b0c7

SHA256
30919e51a3d8f9b581cdc1c283c313a6fbbc24cad5eca222d8727e34350d60a8

SHA512
b51f5b262abcec1f22d92de8ca2cf0ac315385effe98c5b974684b2534b159ed36815544a2e0d62bd2aa6f08bd2cbd5b6586240aa7557690d15e037eed331177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b08083cde918f22dd9736b19985085a

SHA1
ffd42e75ed196bf1b48237918cb597da3bcf896e

SHA256
49cea3984481d7a360eaee24fd953cc76429c7e6adb24a7b79d7615bcda585a4

SHA512
530107b85e6207d0beda9779eac98846ae5303c059a87e97d2cf7a1919cccbce772e910955710c154f98dd44925f155f473e26125cb3b831231f9833c6ee6e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad69e79b12b0023b145e9f6b5b0bbcb5

SHA1
1f9e60ccf99e43bc7eabf2e995f95d94cf2e95fe

SHA256
5dac83e70d99943f489eeb8abcad1d0bf407b23b961b37f282968b61527503d8

SHA512
324c5165643e2667f336cd4a71f8b41f2a246464b072d8be5b4aab10cd9be0c7d4399d4b2eecbc053d870faae178c0dea92f8cbb36d9836206df086286171dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9d3835741b327cad5e2ec035cb0d70c2

SHA1
5e905db3570890788db3c408069cdc59014887cc

SHA256
258cb4489f171a09ac4fbbf7c7f52e20c2e776b76b6f41217415a120fee0a682

SHA512
963e3df83d3d4b55898001224db8e93264209d0e3acf1fb69933871ec3a33e95721fae2eb40eac78515c01eae99c0d63203d30644b4588c4ebfdcf0a00e4d15b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578f5f.TMP

Filesize
48B

MD5
b38dbc93779e98cffd5d8515e30aeef1

SHA1
108eafe563906a898f722515fd7ae1cf2c661ceb

SHA256
e0f48550131a007b05b2b84f9306db17a75e886c04dc9784a08df517659d7d49

SHA512
1cfdaf5d083296258c670f28857058c1e07e5a9cabb26704a157a996d6839a9617830b5b0b72dcd1c6ea95b74a8cedf04d001ff67cbbb3a4e20fa16af3091da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
92ad44d3dd4907bd8bf6e32ab72290ec

SHA1
58ad110af58a5eab0c0fc771b2eb0fc21f80d52b

SHA256
8b5cdd3eef501f59f5b569361b4b78094632962065d6d99d8b522cb8dec446f3

SHA512
bcb87d903eafcad12eb6130f8030361d6f634b57a8c23196b7f1353b4d301ff5fa0267fe95bd176bf0faa130a1bff3c3e97bfb49c82d92e411709ace88485435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0663a24efc90863f5b00d8355b48b960

SHA1
036f0d0f3b37323e0b10b50403d6eac396c8b123

SHA256
91d65ced992468009a7195ffa7f6b3df0bbcefce82fd4bd72ef20098fc021f8a

SHA512
b43398e89d0c2f4b91010b9fd8830f0cc38f01bf74e01a84c44a42de9d971bc3acbddb16c4a59918a49c998ef60906c48fb9d458abd88a8941034c38e01b78f3

Download Submit
C:\Users\Admin\Downloads\Celestial.exe

Filesize
264KB

MD5
d448a2df6f29c91c23b0d482fdb6ca49

SHA1
e533756132da1916cb3b6217edc066e72497bca3

SHA256
6ef6ef99e387801bbcb19f3295f0fa626fd2a0515a8f1947bce5d1f43fa6f968

SHA512
b1154c2cefb95e3e43738ac7a589c05482f126d7c325575a4540a100fac2691bd6bbeeb6105b8205132ae48fdbc68da4087a8d728e2529451ea342ae791ce6cf

Download Submit
memory/2592-319-0x0000016C42130000-0x0000016C42178000-memory.dmp

Filesize
288KB

Download
memory/2592-321-0x0000016C5C680000-0x0000016C5C690000-memory.dmp

Filesize
64KB

Download
memory/2592-320-0x00007FFEBE460000-0x00007FFEBEF21000-memory.dmp

Filesize
10.8MB

Download
memory/2592-323-0x00007FFEBE460000-0x00007FFEBEF21000-memory.dmp

Filesize
10.8MB

Download
memory/3288-327-0x00000250E7930000-0x00000250E7940000-memory.dmp

Filesize
64KB

Download
memory/3288-326-0x00007FFEBE460000-0x00007FFEBEF21000-memory.dmp

Filesize
10.8MB

Download
memory/3288-328-0x00007FFEBE460000-0x00007FFEBEF21000-memory.dmp

Filesize
10.8MB

Download