Analysis

  • max time kernel
    102s
  • max time network
    100s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-04-2024 20:37

General

  • Target

    https://cdn.discordapp.com/attachments/1231358831897088012/1233516767071043655/Umbral.exe?ex=662d6182&is=662c1002&hm=a3eca0624bde300b165073c384e80ff117d134e4eeaf365cc1ea0ae1329c9648&

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231358831897088012/1233516767071043655/Umbral.exe?ex=662d6182&is=662c1002&hm=a3eca0624bde300b165073c384e80ff117d134e4eeaf365cc1ea0ae1329c9648&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95ab93cb8,0x7ff95ab93cc8,0x7ff95ab93cd8
      2⤵
        PID:5080
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:4120
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:960
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
          2⤵
            PID:3068
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
            2⤵
              PID:1188
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
              2⤵
                PID:5028
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4676
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4148
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                2⤵
                  PID:5092
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 /prefetch:8
                  2⤵
                    PID:2416
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
                    2⤵
                      PID:3560
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                      2⤵
                        PID:1692
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                        2⤵
                          PID:2308
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
                          2⤵
                            PID:2892
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
                            2⤵
                            • NTFS ADS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3564
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6272 /prefetch:8
                            2⤵
                              PID:3956
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                              2⤵
                                PID:2820
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
                                2⤵
                                  PID:2680
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10571382077384380665,8791827215836110754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
                                  2⤵
                                    PID:2968
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1028
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3676
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:4800
                                      • C:\Users\Admin\Downloads\Umbral.exe
                                        "C:\Users\Admin\Downloads\Umbral.exe"
                                        1⤵
                                        • Drops file in Drivers directory
                                        • Executes dropped EXE
                                        • NTFS ADS
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4988
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" csproduct get uuid
                                          2⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2968
                                        • C:\Windows\SYSTEM32\attrib.exe
                                          "attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"
                                          2⤵
                                          • Views/modifies file attributes
                                          PID:2868
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4036
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3592
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:428
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:532
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" os get Caption
                                          2⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1488
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" computersystem get totalphysicalmemory
                                          2⤵
                                            PID:4064
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            "wmic.exe" csproduct get uuid
                                            2⤵
                                              PID:4812
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4864
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic" path win32_VideoController get name
                                              2⤵
                                              • Detects videocard installed
                                              PID:3260
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause
                                              2⤵
                                                PID:4808
                                                • C:\Windows\system32\PING.EXE
                                                  ping localhost
                                                  3⤵
                                                  • Runs ping.exe
                                                  PID:4868
                                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                              1⤵
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1028

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              1e4ed4a50489e7fc6c3ce17686a7cd94

                                              SHA1

                                              eac4e98e46efc880605a23a632e68e2c778613e7

                                              SHA256

                                              fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

                                              SHA512

                                              5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              8ff8bdd04a2da5ef5d4b6a687da23156

                                              SHA1

                                              247873c114f3cc780c3adb0f844fc0bb2b440b6d

                                              SHA256

                                              09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

                                              SHA512

                                              5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

                                              Filesize

                                              20KB

                                              MD5

                                              b0c2da866b2e58c905829646726e6cad

                                              SHA1

                                              a2195dd900455e39e0c2ec5640030346fc3bd263

                                              SHA256

                                              78ef72b661cff1466aa18de6c9e6303ce86aea15a984c353434d7a6ee0cb9356

                                              SHA512

                                              0d9311e644f98701109c7cb643d021cd45b5e5db0152b6ade912120b59464c1917ed2b3df0b7457cdaab3409c38689dcd572b238eeb8a99acd51e45fbed9a2bf

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              186B

                                              MD5

                                              094ab275342c45551894b7940ae9ad0d

                                              SHA1

                                              2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                              SHA256

                                              ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                              SHA512

                                              19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              dfda55d6ca665a53bc9bfcb76de43cac

                                              SHA1

                                              9172191fb77259cfb9871f7b28d17e584084c7e7

                                              SHA256

                                              2256b6a11782632ce99d29b15c0545af72ffdc7d947319776e9ecb1936aa156e

                                              SHA512

                                              e4508e8d32809bf3dd8dac383c1b1e715ed761a90da9137d70818a1716769f36a77c84e98f34758dc2523bad60e0b63a23761383cff96959406f3a6c394a6eeb

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              a01f0714223393877835a5b529535d29

                                              SHA1

                                              af54661ce5689c2636c9f90d17c9c57501b42c57

                                              SHA256

                                              7628c6915a9dfb046dad2db4509a839ef98cabc18720c5a7fab43b6e3a56567c

                                              SHA512

                                              161ac088f8cde37d8b6cc06b29d8af5ae91c29d35ea067d1c8c8b6003bc50580c70c4b13ec8da35f22957f5872824a7ffb7e2e3864df9336e90e5f0df8724c5f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              ce05779810e945b6444255793c3a3e3c

                                              SHA1

                                              aabdc29741070d371478a994bc23a2c64b8704da

                                              SHA256

                                              3d7cc85f35551b741a50668af146b19e77a86d768f053ab205f935550513558e

                                              SHA512

                                              b2713332890c2a27a07bb1000b6fa1aa74916fc388fe83c081218bd0ceffb8517f41c143dc3445d16a718c2513ca81f1f9f9d04aabc8473c5811f5a315aa8e88

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              d95509076efe578649860e26ad167c46

                                              SHA1

                                              019ef30ea929b3efd8868064d97a523af66853cf

                                              SHA256

                                              7a95f8c9cacefe23b10e48bbcb5070d6ba5fca8da0cae921e0baa56eeeb202c5

                                              SHA512

                                              e45d211cf07585d1ed37541ce67496aed4059bc5a03bda497597e00a76d507706c2010a2e453882ffa6074d3e397bc607c0653aafd3fa74be97c7ff568846fbe

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              073299e557fd580a30e6b051ecdd75ca

                                              SHA1

                                              7f6e4bf7bdb4dafa509d943ca196c8ed2e2612b8

                                              SHA256

                                              b459429a29d714e83a09eeb1233a521fd83fba6e6a81ea0b839fecffd32b8e13

                                              SHA512

                                              9b21394dba5025fbe0ef0362545f6f849f42b21a2b5dbb9a841dd5bab8d50579d33f53267be5a2726940c0991c261eb11661c06f91c5a8efab5e83110689ae66

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              12KB

                                              MD5

                                              2c5415ad178ac92dcec87916485e467f

                                              SHA1

                                              731089d233c1a6a04f06d5f45de96dd5878c20df

                                              SHA256

                                              b5fade42ade6ba2dd5641527c04c8c3c705d63899c364bae913c827d13c8760d

                                              SHA512

                                              1786947e93887486977ec8dc80b60cd1a1d9d3878ddd3f90d996382b0ade1ecf0c7b42930007a428c2418330b9ba56452754f12182d835b651dcdbbbf1a22a7e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              944B

                                              MD5

                                              7d760ca2472bcb9fe9310090d91318ce

                                              SHA1

                                              cb316b8560b38ea16a17626e685d5a501cd31c4a

                                              SHA256

                                              5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

                                              SHA512

                                              141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              948B

                                              MD5

                                              d80c90c20d0f5c8f07229716f2beffef

                                              SHA1

                                              42dcd92a3a1059e5e559e1cd110ec98a3ac45e3e

                                              SHA256

                                              5ba478485882ee7c7aa928af8c98e7754e876887e00a0c69520d20bd4926e7f6

                                              SHA512

                                              d6a4b14a52154db7c5af19e60910774d61704e7a6243ba5f73e11f7b692ea75840730e04eaccb59387021edf57506e0c2999e4237e8d921a01053eb4a3274ecf

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              83d2d0a413aaa75f465eb40c7c057609

                                              SHA1

                                              a6cb76483b42b495c07b78938a594d4865af0a34

                                              SHA256

                                              13b2980d7c02f6c1dd2329a7c46e18b7178012d600afd589d6f2495acbd85a80

                                              SHA512

                                              fa8e80acdde9aa6f4bd63f6278b46527d04977f102ff39670e0eafa75566c852f667a843012e72547fb2b5a03cd3a738e95280a07e97745b86293e27303dfe84

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              eb3b72c93a86ce5252b46ddc261f2090

                                              SHA1

                                              aec64add080b3070646c5389d545a69f17eeec6f

                                              SHA256

                                              0e8515381c8a90dbbb1995ba72dad52d8bd9391b29d8e11bebde2dc23dcbce11

                                              SHA512

                                              bc7ee5b5af70ca1010aff49e4aa14e16af79dbc101d42b70945ee0033c97a9585fdc0a0a5e0068ee3dd234a223363a3ffadc240b6327c2b671fe134a10d42969

                                            • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                              Filesize

                                              10KB

                                              MD5

                                              2f23663111658be2ba0b273463ff5e60

                                              SHA1

                                              c2af77369b83a0177bfdb90c11fad4c5f897a983

                                              SHA256

                                              eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513

                                              SHA512

                                              e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvfosvhk.kn4.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\Downloads\Umbral.exe:Zone.Identifier

                                              Filesize

                                              26B

                                              MD5

                                              fbccf14d504b7b2dbcb5a5bda75bd93b

                                              SHA1

                                              d59fc84cdd5217c6cf74785703655f78da6b582b

                                              SHA256

                                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                              SHA512

                                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                            • C:\Users\Admin\Downloads\Unconfirmed 494475.crdownload

                                              Filesize

                                              229KB

                                              MD5

                                              eadd4d3f06b7d57e1847fffe5d6068c3

                                              SHA1

                                              29d0a20659f42070f4d66d70aa3d43255a86237f

                                              SHA256

                                              971f3b0fe84daa86f88158682f5e8c65a3562266ebc2f0a1b44fd9d2cb4e72e7

                                              SHA512

                                              4c066218850eec918eda311cb6620e736ec467fbeb4593a67296abb532432b20e0107c8c14af490d3b5730c19ed6e1535370247de71a4e14f4491ea069451084

                                            • C:\Windows\system32\drivers\etc\hosts

                                              Filesize

                                              2KB

                                              MD5

                                              4028457913f9d08b06137643fe3e01bc

                                              SHA1

                                              a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                              SHA256

                                              289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                              SHA512

                                              c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                            • memory/4036-90-0x000002137FF80000-0x000002137FFA2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/4988-118-0x000002CCA6F70000-0x000002CCA6F8E000-memory.dmp

                                              Filesize

                                              120KB

                                            • memory/4988-154-0x000002CCA6FA0000-0x000002CCA6FAA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/4988-155-0x000002CCA6FD0000-0x000002CCA6FE2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4988-116-0x000002CCA70C0000-0x000002CCA7110000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/4988-115-0x000002CCA6FF0000-0x000002CCA7066000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/4988-89-0x000002CC8C820000-0x000002CC8C860000-memory.dmp

                                              Filesize

                                              256KB