njrat | hxxps://oxy[.]name/d/lYKh

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://oxy.name/d/lYKh

Score

10^/10

njrat umbral persistence spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002351b-512.dat	family_umbral
behavioral1/memory/532-520-0x0000021F03230000-0x0000021F03270000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Umbrela install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Umbrela install.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	New Client.exe

Executes dropped EXE 5 IoCs

pid	Process
1548	Umbrela install.exe
3820	Umbrela install.exe
4212	New Client.exe
6140	Umbral.builder.exe
532	Saransk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
404	discord.com
405	discord.com
391	pastebin.com
392	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
393	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1104	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2792	PING.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
4204	msedge.exe
4204	msedge.exe
3428	identity_helper.exe
3428	identity_helper.exe
5744	msedge.exe
5744	msedge.exe
4944	msedge.exe
4944	msedge.exe
932	msedge.exe
932	msedge.exe
1548	msedge.exe
1548	msedge.exe
3516	msedge.exe
3516	msedge.exe
4984	msedge.exe
4984	msedge.exe
5660	msedge.exe
5660	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
5568	powershell.exe
5568	powershell.exe
5568	powershell.exe
5132	powershell.exe
5132	powershell.exe
5132	powershell.exe
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
5680	powershell.exe
5680	powershell.exe
5680	powershell.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe
2128	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5460	7zFM.exe
4404	7zFM.exe
2128	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	116	7zFM.exe
Token: 35	116	7zFM.exe
Token: SeRestorePrivilege	5460	7zFM.exe
Token: 35	5460	7zFM.exe
Token: SeSecurityPrivilege	5460	7zFM.exe
Token: SeRestorePrivilege	4404	7zFM.exe
Token: 35	4404	7zFM.exe
Token: SeSecurityPrivilege	4404	7zFM.exe
Token: SeRestorePrivilege	2128	7zFM.exe
Token: 35	2128	7zFM.exe
Token: SeSecurityPrivilege	2128	7zFM.exe
Token: SeDebugPrivilege	532	Saransk.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	5568	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4212	New Client.exe
Token: SeIncreaseQuotaPrivilege	4984	wmic.exe
Token: SeSecurityPrivilege	4984	wmic.exe
Token: SeTakeOwnershipPrivilege	4984	wmic.exe
Token: SeLoadDriverPrivilege	4984	wmic.exe
Token: SeSystemProfilePrivilege	4984	wmic.exe
Token: SeSystemtimePrivilege	4984	wmic.exe
Token: SeProfSingleProcessPrivilege	4984	wmic.exe
Token: SeIncBasePriorityPrivilege	4984	wmic.exe
Token: SeCreatePagefilePrivilege	4984	wmic.exe
Token: SeBackupPrivilege	4984	wmic.exe
Token: SeRestorePrivilege	4984	wmic.exe
Token: SeShutdownPrivilege	4984	wmic.exe
Token: SeDebugPrivilege	4984	wmic.exe
Token: SeSystemEnvironmentPrivilege	4984	wmic.exe
Token: SeRemoteShutdownPrivilege	4984	wmic.exe
Token: SeUndockPrivilege	4984	wmic.exe
Token: SeManageVolumePrivilege	4984	wmic.exe
Token: 33	4984	wmic.exe
Token: 34	4984	wmic.exe
Token: 35	4984	wmic.exe
Token: 36	4984	wmic.exe
Token: SeIncreaseQuotaPrivilege	4984	wmic.exe
Token: SeSecurityPrivilege	4984	wmic.exe
Token: SeTakeOwnershipPrivilege	4984	wmic.exe
Token: SeLoadDriverPrivilege	4984	wmic.exe
Token: SeSystemProfilePrivilege	4984	wmic.exe
Token: SeSystemtimePrivilege	4984	wmic.exe
Token: SeProfSingleProcessPrivilege	4984	wmic.exe
Token: SeIncBasePriorityPrivilege	4984	wmic.exe
Token: SeCreatePagefilePrivilege	4984	wmic.exe
Token: SeBackupPrivilege	4984	wmic.exe
Token: SeRestorePrivilege	4984	wmic.exe
Token: SeShutdownPrivilege	4984	wmic.exe
Token: SeDebugPrivilege	4984	wmic.exe
Token: SeSystemEnvironmentPrivilege	4984	wmic.exe
Token: SeRemoteShutdownPrivilege	4984	wmic.exe
Token: SeUndockPrivilege	4984	wmic.exe
Token: SeManageVolumePrivilege	4984	wmic.exe
Token: 33	4984	wmic.exe
Token: 34	4984	wmic.exe
Token: 35	4984	wmic.exe
Token: 36	4984	wmic.exe
Token: SeIncreaseQuotaPrivilege	5244	wmic.exe
Token: SeSecurityPrivilege	5244	wmic.exe
Token: SeTakeOwnershipPrivilege	5244	wmic.exe
Token: SeLoadDriverPrivilege	5244	wmic.exe
Token: SeSystemProfilePrivilege	5244	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe
4204	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3988	4204	msedge.exe	88
PID 4204 wrote to memory of 3988	4204	msedge.exe	88
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 1280	4204	msedge.exe	89
PID 4204 wrote to memory of 2232	4204	msedge.exe	90
PID 4204 wrote to memory of 2232	4204	msedge.exe	90
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91
PID 4204 wrote to memory of 2468	4204	msedge.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6036	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/lYKh
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac76446f8,0x7ffac7644708,0x7ffac7644718
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5660
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\styler builder (5).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\styler builder (4).rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2737831859795343843,7765844388442370830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\styler builder (6).rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\styler builder (6).rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\7zO058C8489\Umbrela install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO058C8489\Umbrela install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\Umbrela install.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbrela install.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
        5⤵
        Executes dropped EXE
        
        PID:6140
    - - C:\Users\Admin\AppData\Local\Temp\Saransk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
        6⤵
        Views/modifies file attributes
        
        PID:6036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:2508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5680
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1104
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Saransk.exe" && pause
        6⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\New Client.exe
      "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbrela install.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
6ce983d7a01b3b81035e6b38924921a5

SHA1
e096761c7c7554971bed87d50bed0a03ace74ed1

SHA256
6ef4c67ee05f1b3c6af4304df7d5ec01f0f1ed158a6310804a2ed5430aa63a62

SHA512
eccb78c5eda22bef6764a3f0f65ad51043762061d6ab77201f877253c002892bb5c709db6cfb3161188194572fbbc3553731ea8456fbe9d7565c205ec7bee61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
1550111bb046144c0027ad4c348b7f19

SHA1
d946b73daeb95ee265758229a6a61a619155ef6a

SHA256
e2add0a17edcbb625010af651874ac74d24f049edcac2548ee881bbafefbcbd7

SHA512
adae124afcc7589e0cdf9c03f862c2718d71a537dbcbe9309b77756ab120fa1d06417de461dd809454a481ce70478fd84e8533e4b548cfe736122a899766c88b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
2KB

MD5
3f5a6e54b6f996865b01f4b75b553b8c

SHA1
698d9722a2005d3bcb043157d0b745f69b268e5c

SHA256
c91370cfe15365aaff2436d94c397f6f90a937593803bf559f390ff6b4154d18

SHA512
b94cd891f806b5437dd30f8866866a41d953834ab4a023b4f1eba980cb3cdcd7ce961d270c14abcb354786be201d0eb25f8ba333ceebb59ed12fe50bd40e37b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
67e522f9b8952acbf10289b779cf09be

SHA1
9afa2e65dfb173dbe3e898e524195c2a7b229bf4

SHA256
b57e17885437c6021d482d8fc0598394f0a17a59c546363e83f3743740ecd74b

SHA512
897a471112e4417669e920c399c4a1a132b93b45a0a71012bfecfc543544b1a272e4ff54628c600e764fd7f348bc0bfaa3a88d648a1b59a0cd7fc59d63b70dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea66dcb0cc359c551ed04edbd3256705

SHA1
f91d1051e976da2df5edd015bf099aeb73a13e5b

SHA256
96fe257f79c70a669ae531726a55fc399f060a1306593449b6460e4e9be40d34

SHA512
c849faef3a3c3e0af40e9b7e1a750f5d050c2d3aa91c9df69ada3975ba25fafab77972fafce2729b1a10507fac3f7be8fe008e8402262bd68b97ab104c68e059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
989c6a717754366013140576e3623095

SHA1
ac234b3640b58ad5b2c460e363d0b040e34aa221

SHA256
20c359b4d288db74bdfe90626a329b5466a5c4a4a46021f7dd0e81d27b2980b4

SHA512
a103442317a6d1f189fbef81d25106cc95948d556458913b8f8bf69e42aeaee86378cef3d27d3344fcc7bbe9c732fe284ae22bfa227ad1e78d70eeaa07667e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
261b62207ed8e7e8b0f9fb8dffadbbfd

SHA1
3d9e7071219ddaf9fdd4f000d41a0541b7f215e1

SHA256
755c1dc03e01ae5218eccf36727ad5d38655a5820b30387a4cf95c3ddb391004

SHA512
34d841768d8c6455a5774571c964e53fc7f9e51036ce1f81dddc79ec4ff50a75f5741594844528045c01350bd4eba90e22709d25db96d4d80ad086cf2fe4a31d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fecbf9b0ab42bdf8d2c2598a94628f8f

SHA1
cfded97d59420918e0cd39e9922379fcdf800e7e

SHA256
e08162444f5efb74bffdb5fd701da9322f5f41ce81979eabdb4f35abc116b836

SHA512
22c51ede7ce7f24a5fe8266fe2c741f9e8ce41203dc8cbdd585c33202cbb8a13b3944e40a344befcc6e25203f09cadf5421858abbe97826b1b0a937d9e48a3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4250214a8bf9cf1c0b9df08e57ed2f53

SHA1
8a74b21e03c5d2e6c85a0af8eec6a79a8da42b14

SHA256
ccfb14cb72a5f7d0648953527f3723dad62a0ae38ec19ad82e8ecd5fb3c49734

SHA512
308e30ac6cf8f2619ea31eb9ff46dd8efdccee909b346ea4d33d5df03d4ab6a467fc4e72fb3fdf0bc2ae7c4d0345f4ffe4c6e213761a0247075c7e9580fb29a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2d2b5ed86dbfa7b6eb5f0fff33d8cf0f

SHA1
4dd6b3decc1e4d05c4bbf42b0d0ceecc8553bf18

SHA256
d03505e9635a6ae50e8dfd36c98648d31ce8473fc69bea54e9449031c1b05c60

SHA512
033cb60365a4bce2b328da7a1b913c57ed1accc51774ef5597d4e3040a608b6101aa6afc37fa722dfb496245b87791dd19f3457d21d3a2602bd7ba6c22395768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
72266bb0f20bbac29f485105ce3ba639

SHA1
adcc974034699c150aa54e3c3d0e405cace40414

SHA256
afa42bd1900627e195265d5767645f3ba6d19ca4d6a6307f1f62e69b235d8181

SHA512
a9dde14b43868148681eb595becba7a2626b07481d95b9f3d5760aefce1a705d95e704eb8fbef7a8362b60d0aa51551e8f058d8426a600de6c79e0a8b53e1dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578899.TMP

Filesize
2KB

MD5
4cac4d4d68b90e2ea9015d9e7eef7366

SHA1
abc7a1d01e5b21142d4e47457d2ddbe906c74bad

SHA256
7f24bf870092439be5ea02b63059c8285afdceab36822873cf069de237b1767c

SHA512
cbd6d4cce7e633816c3f69a7f1f492fcb74274dc106f111a481317a255afe5116211e289c802ed1ad7788ffd058f3f5a553453daf36241182569dd2ed5fa2e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
27a1f2d31c283c4fdd99c9b1f22ac27a

SHA1
662a2294e3026c8cba786876f7dea5d2981f469e

SHA256
61deba652c82b07b44cff62eb50ee02dd01ccee694098eb1216cfaaea82ea1c9

SHA512
7eedd113223365090c61c538bf6392a787d2186b852d768ee903b7208efb099fcab8693397524e5dfc77236df9a2f084c943ba734c7cc07aee39ad53a9cc4662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c0dd75b6a1bc6466c31e58bd8353491

SHA1
d68b9d4cd06f73c74a82829136557a6e69866b3a

SHA256
5c929e5cee199f66aafc87376ecc8c3a6544e120e4d1cd8cc0349cf28e2b1de6

SHA512
0f61feed5d8ba513800e518c02fcdb910e15ffa0aed40c30c1fe07bb8bd9fe1e1972adf6285e59b1faf24351b65bb38ae110bc80d3674ffe296f3762eb64ddae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a4bc41bb8f51cd55b8bf9324e6e49baf

SHA1
a003aecc1fdc8813a8020d76439ca81cdbd79d73

SHA256
1c3306af68daf82eb75a1056ca11cb62a597ac05b5bc5da5e1f68178a40308fb

SHA512
4704f61471f187bf4eaa6c499a03af23380561605fb6c035626007fea9346c8766ee1b7cfe1e4f524d3e7129397b387c9a4431c89cc05167af012cecdc6ee9fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4343d0c427f52f369d71931dbc0b9104

SHA1
bac3f9458fca0017aed2631d3479a2b7aa864d90

SHA256
745069039405f4889ff994e37342db4128b76c522f47d72bb3a7615fbdc84ad3

SHA512
66119845f3ab4eca4a66557dbc5af957fab569adba9ade45c48b978a9a5c8de0157c4ef1baf264ce18fbaac87bc8fb6fd33e83a843cdabb1e5e794f17e9b6015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
611e7af93f2c04b884cb22a8b139cffc

SHA1
a1b394d92d12d46c7c72e014277c410945a10e21

SHA256
2cebba5c20e89d342cdc176b6c5380964c83357ad7ff79242eff157be9f1abaa

SHA512
7fbe5df5653205a2cc5e44c0d26a429bc672e57560f1538374e5e9a3d4f68281ee242f70f6f1f6566c7804146bc9bb4e4e2f15b11b5aa6cac88501ae8f375133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04043a866a83304ac517bbea737a4434

SHA1
48f59f21f8562b5a617017ce423b93f1feb0181e

SHA256
fdffc15100bf1ae494f991861abbfe92a1c3d039f9e36d72c8d350339dcaac3f

SHA512
7d725fe1388a7550b1fc6975bb96bbd6932855ca1e4d46f5471187bb6d73c98348e36675443fa527a526b786eb6a5476fc6a802084b14d0474dfa254651a989a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO058C8489\Umbrela install.exe

Filesize
178KB

MD5
f4fbe69157c1743c8a172fcb91af2446

SHA1
ecfb0c915eb599c99e5f60d81ba8059cf8aa6bde

SHA256
504c5519ace18179f4cf61f7e6f2de0ebe0d570caf11b7e4e07ea1d0d868940c

SHA512
69071b0d15bafda8d7bf18f2718b1206d2d978c98d6d15090134749fd21aed8290d725bfe870e53fc4da73cc8d0e9460a4dc3b79ede6064b6c2e7fab14536f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Client.exe

Filesize
65KB

MD5
9d1b756c27e17e4339f6cdf0a69919b6

SHA1
a85d8c63acd97c14ee21e19a045bd4995325a40d

SHA256
ef8fb951eeafd39b5cfd89ce20866fbb116cfd75c19a96a192e5a3c4efa8a183

SHA512
9cca512c24f00da9ea27cd07f12a75b7f19577870c9b412e6b9462795ebb312942dbce53c18c80679d3306c3f2de9208045e766d5861779343a22e296138b2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Saransk.exe

Filesize
231KB

MD5
80966389900adef83ee386790866c6b1

SHA1
8b581e5fb73abbb0210e0edd7b007631b5fcdda4

SHA256
f841ab2609521383d2b422226afd715f7ce15a528c8edae25dc54971bbaba7d4

SHA512
3c0137d3b48af3513cd77e3ec7574ae9c24aa58cb2476133af2160f2443eefe4e474a556a67ecfa2d6800f9f248f7cc55bdd41bfcbb173d75775b80894aed990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe

Filesize
113KB

MD5
2523aa0cb9c8e02ae7c62dc7e0ff54b8

SHA1
77fc1a8278dd03132df7e805daa5815e65f663ca

SHA256
6b58b3755464f350f325eafab38b65155bb9387c520511e98d8cb850013ebc35

SHA512
c4b065f51d5928b29229857f77054817d86113ce23caf62811064bb04149c9b3c7c9c876309f57d5d0ce21627283bf556b4ea63012074002367416b8abf2fbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbrela install.exe

Filesize
141KB

MD5
a307c61336035d682e6277a447813c8f

SHA1
43df5ffd5bb5bc61df6798da20754e680fe181a7

SHA256
d4a8543483f8000fbf91dca52752b0ebe1f3ebc531dbbb78c27abf4fd7324db1

SHA512
e520c5ca6eaffc117f8fed390fcf16262913a3f10575302af0b43f465ffd104c2b904838fedf743472050122fdfff02041c9f4ec3f6e7b6d47c3564e70ea190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0j0vkqk.nyw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 282001.crdownload

Filesize
1.8MB

MD5
c3d71e5bc6035e361d8a04a54796a838

SHA1
bd8a6b8ed5949095e4857f660f0b3453cea91bb8

SHA256
17f5de0fb534fa896b1af7739a60ee04f0942f26f89fa4b2662dd7230f836dcd

SHA512
c8d8bb2cfd7208e8f631148147e497a3a7c9d7431e0af59d096e72cd8c0544c8a4e11ec2a4811faf0472d494e7eaa911121729bf0dc767e7eacc93d10e92743a

Download Submit
C:\Users\Admin\Downloads\styler builder (5).rar

Filesize
2.9MB

MD5
a910d5f30f7ebaa2daf9ce12a95fca6d

SHA1
ad6f59cac18042ae60688647444f13f1dd803b43

SHA256
3294cd33eed9e7f7cffd4f97446c993aafc1ab8a80b75e1a399c70fd6ca7a733

SHA512
8d941c3e8707f1175bb4cb57dc5c7cf887e567561cd8fff00c91ee8fe8e9ffe96d18804df6ea738e17dc43d16561687311a8f2bb957e9d3e24a169cc508ff066

Download Submit
memory/532-618-0x0000021F1D950000-0x0000021F1D962000-memory.dmp

Filesize
72KB

Download
memory/532-563-0x0000021F1D930000-0x0000021F1D94E000-memory.dmp

Filesize
120KB

Download
memory/532-523-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/532-617-0x0000021F04FD0000-0x0000021F04FDA000-memory.dmp

Filesize
40KB

Download
memory/532-525-0x0000021F1D7B0000-0x0000021F1D7C0000-memory.dmp

Filesize
64KB

Download
memory/532-561-0x0000021F1DA00000-0x0000021F1DA50000-memory.dmp

Filesize
320KB

Download
memory/532-642-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/532-559-0x0000021F1D980000-0x0000021F1D9F6000-memory.dmp

Filesize
472KB

Download
memory/532-520-0x0000021F03230000-0x0000021F03270000-memory.dmp

Filesize
256KB

Download
memory/532-611-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/1548-467-0x0000000000170000-0x00000000001A2000-memory.dmp

Filesize
200KB

Download
memory/1548-492-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/1548-468-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/1548-470-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/3128-595-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3128-596-0x00000235567E0000-0x00000235567F0000-memory.dmp

Filesize
64KB

Download
memory/3128-609-0x00000235567E0000-0x00000235567F0000-memory.dmp

Filesize
64KB

Download
memory/3128-612-0x00000235567E0000-0x00000235567F0000-memory.dmp

Filesize
64KB

Download
memory/3128-614-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3384-527-0x000001EC7F610000-0x000001EC7F632000-memory.dmp

Filesize
136KB

Download
memory/3384-542-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3384-528-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3384-529-0x000001EC014E0000-0x000001EC014F0000-memory.dmp

Filesize
64KB

Download
memory/3384-535-0x000001EC014E0000-0x000001EC014F0000-memory.dmp

Filesize
64KB

Download
memory/3820-489-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/3820-491-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3820-521-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/3820-497-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/4212-592-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4212-493-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4212-494-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4212-610-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/4212-495-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/4212-608-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/5132-564-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/5132-565-0x000001C63CB90000-0x000001C63CBA0000-memory.dmp

Filesize
64KB

Download
memory/5132-566-0x000001C63CB90000-0x000001C63CBA0000-memory.dmp

Filesize
64KB

Download
memory/5132-591-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/5568-546-0x0000020DD8CE0000-0x0000020DD8CF0000-memory.dmp

Filesize
64KB

Download
memory/5568-544-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/5568-545-0x0000020DD8CE0000-0x0000020DD8CF0000-memory.dmp

Filesize
64KB

Download
memory/5568-558-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/5680-622-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/5680-632-0x0000018637150000-0x0000018637160000-memory.dmp

Filesize
64KB

Download
memory/5680-634-0x0000018637150000-0x0000018637160000-memory.dmp

Filesize
64KB

Download
memory/5680-636-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/6140-522-0x0000018A0E780000-0x0000018A0E7A2000-memory.dmp

Filesize
136KB

Download
memory/6140-526-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download
memory/6140-524-0x00007FFAB2F90000-0x00007FFAB3A51000-memory.dmp

Filesize
10.8MB

Download