Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://gofile.io/d/2qq6Da

Score
10/10
umbralspywarestealer

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1196551286892535848/BI-4wJMe0VqcV998bhbMUu_wWa9MHqKDsvG2bhmZuynbA6FvVmQpf3BApw4_YqBZ6TZ5

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/2qq6Da
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffacec146f8,0x7ffacec14708,0x7ffacec14718
      2⤵
        PID:3172
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        2⤵
          PID:2168
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:244
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
          2⤵
            PID:228
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:4904
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
              2⤵
                PID:3220
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
                2⤵
                  PID:2000
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
                  2⤵
                    PID:5112
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
                    2⤵
                      PID:1888
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:8
                      2⤵
                        PID:4244
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
                        2⤵
                          PID:4824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
                          2⤵
                            PID:1536
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                            2⤵
                              PID:4924
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                              2⤵
                                PID:4036
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
                                2⤵
                                  PID:4212
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5664 /prefetch:8
                                  2⤵
                                    PID:2024
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                    2⤵
                                      PID:2568
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:4592
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
                                      2⤵
                                        PID:5964
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
                                        2⤵
                                          PID:5196
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:3196
                                        • C:\Program Files\7-Zip\7zFM.exe
                                          "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Amruus promo link generator (1).rar"
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          • Suspicious use of FindShellTrayWindow
                                          PID:5392
                                          • C:\Users\Admin\AppData\Local\Temp\7zO0157D9A8\Promo link generator.exe
                                            "C:\Users\Admin\AppData\Local\Temp\7zO0157D9A8\Promo link generator.exe"
                                            3⤵
                                            • Drops file in Drivers directory
                                            • Executes dropped EXE
                                            PID:1368
                                            • C:\Windows\SYSTEM32\attrib.exe
                                              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\7zO0157D9A8\Promo link generator.exe"
                                              4⤵
                                              • Views/modifies file attributes
                                              PID:4212
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0157D9A8\Promo link generator.exe'
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5536
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1916
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5720
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4128
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic.exe" os get Caption
                                              4⤵
                                                PID:5592
                                              • C:\Windows\System32\Wbem\wmic.exe
                                                "wmic.exe" computersystem get totalphysicalmemory
                                                4⤵
                                                  PID:6064
                                                • C:\Windows\System32\Wbem\wmic.exe
                                                  "wmic.exe" csproduct get uuid
                                                  4⤵
                                                    PID:5580
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                    4⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2228
                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                    "wmic" path win32_VideoController get name
                                                    4⤵
                                                    • Detects videocard installed
                                                    PID:5260
                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\7zO0157D9A8\Promo link generator.exe" && pause
                                                    4⤵
                                                      PID:3356
                                                      • C:\Windows\system32\PING.EXE
                                                        ping localhost
                                                        5⤵
                                                        • Runs ping.exe
                                                        PID:5604
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2415118587384375647,17498094208228463662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3620 /prefetch:2
                                                  2⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:4044
                                                • C:\Program Files\7-Zip\7zFM.exe
                                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Amruus promo link generator (1).rar"
                                                  2⤵
                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                  • Suspicious use of FindShellTrayWindow
                                                  PID:4464
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:3500
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:3152
                                                  • C:\Windows\System32\rundll32.exe
                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                    1⤵
                                                      PID:4388
                                                    • C:\Program Files\7-Zip\7zG.exe
                                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Amruus promo link generator\" -spe -an -ai#7zMap4672:116:7zEvent11093
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      PID:1536
                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Amruus promo link generator\links.txt
                                                      1⤵
                                                        PID:3288
                                                      • C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
                                                        "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
                                                        1⤵
                                                        • Drops file in Drivers directory
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2124
                                                        • C:\Windows\SYSTEM32\attrib.exe
                                                          "attrib.exe" +h +s "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe"
                                                          2⤵
                                                          • Views/modifies file attributes
                                                          PID:3520
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe'
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4532
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5244
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5448
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5684
                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                          "wmic.exe" os get Caption
                                                          2⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5896
                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                          "wmic.exe" computersystem get totalphysicalmemory
                                                          2⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5964
                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                          "wmic.exe" csproduct get uuid
                                                          2⤵
                                                            PID:6020
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                            2⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:6076
                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                            "wmic" path win32_VideoController get name
                                                            2⤵
                                                            • Detects videocard installed
                                                            PID:1228
                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe" && pause
                                                            2⤵
                                                              PID:4532
                                                              • C:\Windows\system32\PING.EXE
                                                                ping localhost
                                                                3⤵
                                                                • Runs ping.exe
                                                                PID:5348
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault113c1c26hd671h49d7hbb60h3d22e2829c35
                                                            1⤵
                                                              PID:2480
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffacec146f8,0x7ffacec14708,0x7ffacec14718
                                                                2⤵
                                                                  PID:1044
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,4651363724567725945,15643020946120458333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
                                                                  2⤵
                                                                    PID:5844
                                                                • C:\Program Files\7-Zip\7zG.exe
                                                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Amruus promo link generator (1)\" -spe -an -ai#7zMap22725:124:7zEvent9291
                                                                  1⤵
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  PID:3160

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Promo link generator.exe.log
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  547df619456b0e94d1b7663cf2f93ccb

                                                                  SHA1

                                                                  8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

                                                                  SHA256

                                                                  8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

                                                                  SHA512

                                                                  01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                                  SHA1

                                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                  SHA256

                                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                  SHA512

                                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  cbec32729772aa6c576e97df4fef48f5

                                                                  SHA1

                                                                  6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

                                                                  SHA256

                                                                  d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

                                                                  SHA512

                                                                  425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  4827f90d60f34fdef44ea71dbf1cc201

                                                                  SHA1

                                                                  8f65f208b5573ea89fdceb50e0ecf4d7da9c0731

                                                                  SHA256

                                                                  a4e6d2a8057ac6d53e619c4ae25a6a3b40e8d72425b2860909115ffe03fbd4bc

                                                                  SHA512

                                                                  d9df2864852ab0abfa3af1cce3c8df116f2f94c724842ea0dc5dbcb8ef24cd42d78690d676f8d36f259a3ab00a3e18d8c36983626b93d7788616aa6175be8df3

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  279e783b0129b64a8529800a88fbf1ee

                                                                  SHA1

                                                                  204c62ec8cef8467e5729cad52adae293178744f

                                                                  SHA256

                                                                  3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

                                                                  SHA512

                                                                  32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                  Filesize

                                                                  288B

                                                                  MD5

                                                                  a5fc18a544faa4cb71509d8cb530cfa9

                                                                  SHA1

                                                                  ec9f36e4669f186b6d326a5f15b43692e498ce68

                                                                  SHA256

                                                                  7c0b3bd7131c8dceeed660b3124d62501bcf68bea570999e4fa661ee568387d7

                                                                  SHA512

                                                                  f122bef4ad5c6a825aa6a81a3b8f5c32170fb78f3adc924472e8cdba3411a092f644c75c9f90f145d9e8f9a24269f050dbf1e364462671b5296d1b1d0c96d337

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
                                                                  Filesize

                                                                  20KB

                                                                  MD5

                                                                  2037fd50b2247e4a34c7f93a521c54de

                                                                  SHA1

                                                                  d4693128f2dfe2a9c6b1444ced645cae0400cd24

                                                                  SHA256

                                                                  af8cbbc812feb661443589761e939bde545f8038474eb6cb1e0e3aaa38f124ce

                                                                  SHA512

                                                                  80b928ab702bb66190b994f4e49b3f7b22a5bbf642fb58380dd2017a1fcdfed46e8bd7bc5b26da05dc747d33e02378d3b5682d920af7ac5b63d5b168fbaa367c

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
                                                                  Filesize

                                                                  524B

                                                                  MD5

                                                                  c8de1ef035cf71c81b76395b5f2178d4

                                                                  SHA1

                                                                  3ae5ac19042151df77388bb9b8e9b751bb335248

                                                                  SHA256

                                                                  75dbbc8c40d92da847aa3f17a3a15b94ec8b6fada6a0b44c52d9ab843e9049ae

                                                                  SHA512

                                                                  844b4b727a9db0d76019ecb60693547b91a529630d2261652b68c0798404be26b4f9ec96989c8d57f4f2b2659aace0c99ee9d8c8c45cb9058e80aa4a36088f51

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                  Filesize

                                                                  782B

                                                                  MD5

                                                                  89b6845ae63ef0eb2930cafbec1c238c

                                                                  SHA1

                                                                  799def93ec80df8f1c68e7aa4b6e420564353846

                                                                  SHA256

                                                                  b79701c5010c6c746e2a22498df320858e194439ba12783b2edc72212a86115e

                                                                  SHA512

                                                                  f97bd685227c6acb690ca28a2a55a1f0a3d3ebacd8e536b32de503add5b75c92b0ac1ad3765858290c9fd4490076affde477bc38ec69eb691d7e08f1d28234ae

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  21ea508fa27c9f1ce2520a5a2a9bc7b5

                                                                  SHA1

                                                                  e89cbfd2d57e3460f7aa1bfea66155015c5328cd

                                                                  SHA256

                                                                  3247248afca17cbbd2775b829ee66c48c6cfdd918cda622a9e186918c9d9492b

                                                                  SHA512

                                                                  06f42a5df2f99b056af97c594da55b4a0342750a34949404321aa7fa057c46411d5bcd80471d4c24581cb2b3303c649194a7922787c7116d80a81eda2fe860f0

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  8845e9a3a2e1e15f350f80e39a312a44

                                                                  SHA1

                                                                  bb715246ce6e97a5d89d8b5dd70a6199f1afce1e

                                                                  SHA256

                                                                  c85643fb0e4d31b5debb355d9ca9abac279a8e93c4f57497f787cbcbc70346dd

                                                                  SHA512

                                                                  bfee5cd3ebeec3f478a32f6d93873a5aaa0e66d5240683f9ec4f51dd47a46076da082466009a8eacc0f94fc652d6c4106dd3711ea805d0a3dfae6782a2383cbd

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  21fbe8090512095f6845e5804f5446d8

                                                                  SHA1

                                                                  de25652889f2fb842652c86c7f1bd589d133086e

                                                                  SHA256

                                                                  a63fb64d85d1410b1ed3d6550d3a49b8fa2e3244d93d372af24cb738021f2b63

                                                                  SHA512

                                                                  e844e307f622ef64d8e61e56f797c8b68d2243c12c27f09c2cb96e7dffaa706fe773e44baaec244f157520311368aac1fe52c726aa182e337a2c1b9a7a99052f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  2d2024f46433c980e4406c073f6574fc

                                                                  SHA1

                                                                  e5b1b9b2c725ac545dd8b587e7d8d91fedc409f6

                                                                  SHA256

                                                                  b0cac4d5ee1d73292952375663dc8b72847311d0e4a6e13bbdc559759dc0dc91

                                                                  SHA512

                                                                  63afbd8b0e4eefc7f3c07b779b847b590c940a599d6c3f7bc91a95fbb1a3d4ef5fb434c77ca98d56883a88ec164163731303fbe5e3a63f62fb2438fb793cb3f3

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                  Filesize

                                                                  16B

                                                                  MD5

                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                  SHA1

                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                  SHA256

                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                  SHA512

                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  f3dbef1255794b9d3a0c005206afe6f6

                                                                  SHA1

                                                                  54f80207a3d80ca87e658fb2f49a7823eeb61c43

                                                                  SHA256

                                                                  397ab4815f9b689363c5164b26883fbe0a5c2415894f756917179de39446d985

                                                                  SHA512

                                                                  b87beb97063fc46675f95a1609e54b6eebc09fe4547cc36731eb98a611035431dd1745f8a76c3de1e53fb8b10671aa92bea37be322d9e2bd5a4e49b5ea074e61

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  fa3afd8ddadef1e9659a3080c9f06431

                                                                  SHA1

                                                                  e791c8b52bf6812ff49eee11ed034cc20c62c56e

                                                                  SHA256

                                                                  8c5fdcc546cf00a502f16cdd19e4956fc5541637b9a922c6b8665c1e28a428c2

                                                                  SHA512

                                                                  f6c1404f66074afc7640ac6035c3954219802ba2dc3f3086199a5477b5c8024e615552483ddb9f8419cb4038b7222929284b399fd9e5514405b7604c237a01f7

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  bbbfae3cd634fc36f540ddf28fb4ae90

                                                                  SHA1

                                                                  e81b494140718be9e59f0654edc018e795a6aedd

                                                                  SHA256

                                                                  cd5ea21a1fb4da006d1ea2b2309f0e6b3654eca088057b6e023e5d4f40e90a92

                                                                  SHA512

                                                                  5c73acd9438a09e883f6e5a4b9adb8ba1188eab7bf6b417ad77b4d056d0d132b02984255ce8774aa98d9e9582c64ab60d42179ce3e99f3a7db55944af5194798

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  509ab5ad7037989a83601aff0213ed64

                                                                  SHA1

                                                                  11ddfe263f24a3964c7fe5f5581ce1193210184b

                                                                  SHA256

                                                                  b3d0a6e364fec090d12e2f4580a2e2a29a0f7a4984ff4285fc89e7b5554105e7

                                                                  SHA512

                                                                  b1366f6a99a54eea98adab851af13327b2d48ae5368829c994fd2e848ac0047224d98fe8e49251f3e4d4cc821c0e792bfe6a53f873329ed83db91f564f36268f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  dd16f5878d904939d41c3625803146d2

                                                                  SHA1

                                                                  c01ad89b2f433bad02fcd693e66102a33ff9c2d2

                                                                  SHA256

                                                                  c6b67f8764f71a503e3f950c5e33780a1322c960633cda8571e576a1b53681fd

                                                                  SHA512

                                                                  8571e8a5b0b3c139b02cc7f3f07e187a3d810c874de4711fc8130c52541f3510c55a7050286df1523358581f2654c57330e23b925e9dde1ded83b6ed5a8bae0a

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                  Filesize

                                                                  12KB

                                                                  MD5

                                                                  46ceaf91602333efe3302d7af60ac7b1

                                                                  SHA1

                                                                  b01b2a9e8d9f414b1e61fe2d46ce67ddb23acfb3

                                                                  SHA256

                                                                  bbf8885c5e83f1d88447afdf4c48ee652c0710e274408f6ecd562eff3c218922

                                                                  SHA512

                                                                  5a32fa866198df6eabbffcf7bb2dd09f1c49844e5449ff2e2fb53862c4a23c8cd2942a2401f4daeee14b4e066c3323e14e865230a5204b25ac4fef058d59975a

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  cadef9abd087803c630df65264a6c81c

                                                                  SHA1

                                                                  babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                  SHA256

                                                                  cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                  SHA512

                                                                  7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  948B

                                                                  MD5

                                                                  7249f5c73fd4c203cc0b5d76b5d550e6

                                                                  SHA1

                                                                  c36c86b0fff962ea5f44d40116554a8e7754a5d4

                                                                  SHA256

                                                                  fd9b15f7b9f160af704090a1781a61943f27baab50a42c62ac7b6df9f415e17d

                                                                  SHA512

                                                                  71a99f4051daa50099f26212d22920d38bde6ab1ee0f4f5a2a7dee312c49bb885e193fff1d218cb4f0980277b7b62d9801bf8cd7d356e5870e942989c920f346

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  276798eeb29a49dc6e199768bc9c2e71

                                                                  SHA1

                                                                  5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                                  SHA256

                                                                  cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                                  SHA512

                                                                  0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  28dbc654d9b03d69016a18b8eca34c49

                                                                  SHA1

                                                                  5aa9c65b86d938dea0b9b3ef7d67eeff6c990eea

                                                                  SHA256

                                                                  772881c2bb8a50032e55294effb461cb6faaea8958eef4400a51b1535ad5b3b5

                                                                  SHA512

                                                                  2cb146e6fa8c18107e1ffe64af16a8aab19cc20af070758ba9b19803f0889f88743b7720af1c4c919a3d190a83face24d82f5ae105cfd0ae61be2e514b3ae7d8

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  64B

                                                                  MD5

                                                                  565ae0782a430aa402d936eadbebeb4d

                                                                  SHA1

                                                                  653c2474cddcbfebc58a2fc45d78100de51e36c7

                                                                  SHA256

                                                                  614a5289b17a7bd3a3bc277c82e4de56f85421bf5275d79771299e93dddac9b9

                                                                  SHA512

                                                                  2320b28c393782d6f25decee580bec6d9f333b7fdc170087012535c4f4dceb7e8165225ed07e17d604ee0db03816c644963ecf95895db3415e072156ebe3ad97

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  944B

                                                                  MD5

                                                                  96ff1ee586a153b4e7ce8661cabc0442

                                                                  SHA1

                                                                  140d4ff1840cb40601489f3826954386af612136

                                                                  SHA256

                                                                  0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

                                                                  SHA512

                                                                  3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  948B

                                                                  MD5

                                                                  627deabb4703797ece516ffff56dff63

                                                                  SHA1

                                                                  a73aad49150b7daf33c81fdb3d03104dcf98e10e

                                                                  SHA256

                                                                  fa203b9c836b5783d582900b5a1e65dc21fbf2ff25af63c41f9272ea930d8473

                                                                  SHA512

                                                                  0b44ed0301024c9b19fc0b5c73048b37142121628be818888970c9c3f3a71a75731e27791302e42347d9630c4ba446d02b07af723570f9813f86736b3c2582c3

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  d3235ed022a42ec4338123ab87144afa

                                                                  SHA1

                                                                  5058608bc0deb720a585a2304a8f7cf63a50a315

                                                                  SHA256

                                                                  10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

                                                                  SHA512

                                                                  236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Filesize

                                                                  1KB

                                                                  MD5

                                                                  08e2b6dc039d66a6bfa02fbaa9b86e1f

                                                                  SHA1

                                                                  1a45a88b900fc97183e50e3dd95deb5c086e2ca7

                                                                  SHA256

                                                                  13f0b2febb094f7d558d4325d06807162326f65290c90fa52fa1d3e4e4b35b14

                                                                  SHA512

                                                                  2e818787d6067890ec8586f9e4c2d459632e09c167749ff1b58fcaa273850b0ca61f0a468eda65a71358daa36a69ec7961b07cffe6ebcd7b8f79b2b796402891

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyqtctnu.2dw.ps1
                                                                  Filesize

                                                                  60B

                                                                  MD5

                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                  SHA1

                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                  SHA256

                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                  SHA512

                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                  Download Submit

                                                                • C:\Users\Admin\Downloads\Amruus promo link generator.rar
                                                                  Filesize

                                                                  79KB

                                                                  MD5

                                                                  0b25d0cf701d9c68ae40085c1afe2e3d

                                                                  SHA1

                                                                  0266c00fdcddc3e2f835cfb4109dffe1e7cf32c7

                                                                  SHA256

                                                                  8f0352553ab0acb32642074579db93344be53f54c700ee70bef3335db09c6529

                                                                  SHA512

                                                                  cb797620225ab96d36f58dd50570e00a71909ad68d5080ce5d85e0e0b8b85ea38aba4487b434973d8c28b61c5a3914f8e7779c488a67f4b3a9d80bd95fcf0b6a

                                                                  Download Submit

                                                                • C:\Users\Admin\Downloads\Amruus promo link generator\Promo link generator.exe
                                                                  Filesize

                                                                  228KB

                                                                  MD5

                                                                  4e711e7231a67ebf4278a6ba9e2a1f98

                                                                  SHA1

                                                                  9bc200a14d089e0fe869674ee5f4219e86dc3009

                                                                  SHA256

                                                                  cfb4919168697ab5bfaa045cbf2c647aa55c1ffc8f5109acf90f2e90af14f40a

                                                                  SHA512

                                                                  38ac5f01c19304431f1b862172fd0ed7b67fd8926c94e289a7a9b06a6772b02c7708f9ebeb3263269721d379dede458bd29d16fd6eb81eb500d85b202707ec0f

                                                                  Download Submit

                                                                • C:\Users\Admin\Downloads\Amruus promo link generator\links.txt
                                                                  Filesize

                                                                  1B

                                                                  MD5

                                                                  68b329da9893e34099c7d8ad5cb9c940

                                                                  SHA1

                                                                  adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

                                                                  SHA256

                                                                  01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

                                                                  SHA512

                                                                  be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

                                                                  Download Submit

                                                                • C:\Windows\system32\drivers\etc\hosts
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  4028457913f9d08b06137643fe3e01bc

                                                                  SHA1

                                                                  a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                                                  SHA256

                                                                  289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                                                  SHA512

                                                                  c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                                                  Download Submit

                                                                • memory/1368-372-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/1368-373-0x00000266788B0000-0x00000266788C0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/1368-457-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/1368-485-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/1916-398-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/1916-399-0x000001B5711F0000-0x000001B571200000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/1916-410-0x000001B5711F0000-0x000001B571200000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/1916-412-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/2124-228-0x0000024CE26F0000-0x0000024CE2702000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2124-177-0x0000024CE27A0000-0x0000024CE27F0000-memory.dmp

                                                                  Filesize

                                                                  320KB

                                                                  Download

                                                                • memory/2124-221-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/2124-137-0x0000024CC7FB0000-0x0000024CC7FF0000-memory.dmp

                                                                  Filesize

                                                                  256KB

                                                                  Download

                                                                • memory/2124-175-0x0000024CE2720000-0x0000024CE2796000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                  Download

                                                                • memory/2124-227-0x0000024CE26A0000-0x0000024CE26AA000-memory.dmp

                                                                  Filesize

                                                                  40KB

                                                                  Download

                                                                • memory/2124-232-0x0000024CE2590000-0x0000024CE25A0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2124-138-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/2124-179-0x0000024CE2560000-0x0000024CE257E000-memory.dmp

                                                                  Filesize

                                                                  120KB

                                                                  Download

                                                                • memory/2124-253-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/2124-139-0x0000024CE2590000-0x0000024CE25A0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2228-477-0x0000019C57EB0000-0x0000019C57EC0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2228-476-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/2228-480-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/4128-459-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/4128-446-0x000001DCAB6C0000-0x000001DCAB6D0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/4128-445-0x000001DCAB6C0000-0x000001DCAB6D0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/4128-444-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/4532-152-0x000001E2B2740000-0x000001E2B2750000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/4532-149-0x000001E2B26E0000-0x000001E2B2702000-memory.dmp

                                                                  Filesize

                                                                  136KB

                                                                  Download

                                                                • memory/4532-151-0x000001E2B2740000-0x000001E2B2750000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/4532-150-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/4532-155-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5244-158-0x00000197497E0000-0x00000197497F0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5244-172-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5244-170-0x00000197497E0000-0x00000197497F0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5244-157-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5244-164-0x00000197497E0000-0x00000197497F0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5448-208-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5448-181-0x0000029F6B130000-0x0000029F6B140000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5448-206-0x0000029F6B130000-0x0000029F6B140000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5448-182-0x0000029F6B130000-0x0000029F6B140000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5448-180-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5536-384-0x000001B43BD50000-0x000001B43BD60000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5536-385-0x000001B43BD50000-0x000001B43BD60000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5536-383-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5536-397-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5684-209-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5684-222-0x000001A24BC40000-0x000001A24BC50000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5684-210-0x000001A24BC40000-0x000001A24BC50000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5684-224-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5720-443-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/5720-441-0x00000146E8960000-0x00000146E8970000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5720-430-0x00000146E8960000-0x00000146E8970000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5720-429-0x00000146E8960000-0x00000146E8970000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/5720-420-0x00007FFAB9D00000-0x00007FFABA7C1000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/6076-247-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download

                                                                • memory/6076-245-0x000001B478CB0000-0x000001B478CC0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/6076-243-0x000001B478CB0000-0x000001B478CC0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/6076-242-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmp

                                                                  Filesize

                                                                  10.8MB

                                                                  Download