umbral | hxxps://workupload[.]com/file/uHQqfNQf33j

Analysis

max time kernel
55s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/uHQqfNQf33j

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002345a-78.dat	family_umbral
behavioral1/memory/5984-128-0x000001F054A00000-0x000001F054A40000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5828	powershell.exe
3604	powershell.exe
5628	powershell.exe
5964	powershell.exe
3392	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5984	Sha Executor V2.exe
5680	Sha Executor V2.exe
5796	Sha Executor V2.exe
5524	Sha Executor V2.exe
1708	Sha Executor V2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
85	discord.com
86	discord.com
95	discord.com
99	discord.com
115	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2480	wmic.exe
5848	wmic.exe
3204	wmic.exe
5136	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\dMa4T.scr\:SmartScreen:$DATA	Sha Executor V2.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jwNS8.scr\:SmartScreen:$DATA	Sha Executor V2.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\j1mXC.scr\:SmartScreen:$DATA	Sha Executor V2.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l9pnw.scr\:SmartScreen:$DATA	Sha Executor V2.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 891481.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CsHs8.scr\:SmartScreen:$DATA	Sha Executor V2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
940	msedge.exe
940	msedge.exe
4092	msedge.exe
4092	msedge.exe
1920	identity_helper.exe
1920	identity_helper.exe
5844	msedge.exe
5844	msedge.exe
5984	Sha Executor V2.exe
5984	Sha Executor V2.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
5572	powershell.exe
5572	powershell.exe
5572	powershell.exe
5620	powershell.exe
5620	powershell.exe
5620	powershell.exe
5244	powershell.exe
5244	powershell.exe
5244	powershell.exe
5680	Sha Executor V2.exe
5680	Sha Executor V2.exe
5628	powershell.exe
5628	powershell.exe
5628	powershell.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
5544	powershell.exe
5544	powershell.exe
5544	powershell.exe
5628	powershell.exe
5628	powershell.exe
5628	powershell.exe
5796	Sha Executor V2.exe
5796	Sha Executor V2.exe
5964	powershell.exe
5964	powershell.exe
5964	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
5848	powershell.exe
5848	powershell.exe
5848	powershell.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
5892	powershell.exe
5892	powershell.exe
5892	powershell.exe
3932	taskmgr.exe
3932	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5984	Sha Executor V2.exe
Token: SeIncreaseQuotaPrivilege	6140	wmic.exe
Token: SeSecurityPrivilege	6140	wmic.exe
Token: SeTakeOwnershipPrivilege	6140	wmic.exe
Token: SeLoadDriverPrivilege	6140	wmic.exe
Token: SeSystemProfilePrivilege	6140	wmic.exe
Token: SeSystemtimePrivilege	6140	wmic.exe
Token: SeProfSingleProcessPrivilege	6140	wmic.exe
Token: SeIncBasePriorityPrivilege	6140	wmic.exe
Token: SeCreatePagefilePrivilege	6140	wmic.exe
Token: SeBackupPrivilege	6140	wmic.exe
Token: SeRestorePrivilege	6140	wmic.exe
Token: SeShutdownPrivilege	6140	wmic.exe
Token: SeDebugPrivilege	6140	wmic.exe
Token: SeSystemEnvironmentPrivilege	6140	wmic.exe
Token: SeRemoteShutdownPrivilege	6140	wmic.exe
Token: SeUndockPrivilege	6140	wmic.exe
Token: SeManageVolumePrivilege	6140	wmic.exe
Token: 33	6140	wmic.exe
Token: 34	6140	wmic.exe
Token: 35	6140	wmic.exe
Token: 36	6140	wmic.exe
Token: SeIncreaseQuotaPrivilege	6140	wmic.exe
Token: SeSecurityPrivilege	6140	wmic.exe
Token: SeTakeOwnershipPrivilege	6140	wmic.exe
Token: SeLoadDriverPrivilege	6140	wmic.exe
Token: SeSystemProfilePrivilege	6140	wmic.exe
Token: SeSystemtimePrivilege	6140	wmic.exe
Token: SeProfSingleProcessPrivilege	6140	wmic.exe
Token: SeIncBasePriorityPrivilege	6140	wmic.exe
Token: SeCreatePagefilePrivilege	6140	wmic.exe
Token: SeBackupPrivilege	6140	wmic.exe
Token: SeRestorePrivilege	6140	wmic.exe
Token: SeShutdownPrivilege	6140	wmic.exe
Token: SeDebugPrivilege	6140	wmic.exe
Token: SeSystemEnvironmentPrivilege	6140	wmic.exe
Token: SeRemoteShutdownPrivilege	6140	wmic.exe
Token: SeUndockPrivilege	6140	wmic.exe
Token: SeManageVolumePrivilege	6140	wmic.exe
Token: 33	6140	wmic.exe
Token: 34	6140	wmic.exe
Token: 35	6140	wmic.exe
Token: 36	6140	wmic.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeIncreaseQuotaPrivilege	5884	wmic.exe
Token: SeSecurityPrivilege	5884	wmic.exe
Token: SeTakeOwnershipPrivilege	5884	wmic.exe
Token: SeLoadDriverPrivilege	5884	wmic.exe
Token: SeSystemProfilePrivilege	5884	wmic.exe
Token: SeSystemtimePrivilege	5884	wmic.exe
Token: SeProfSingleProcessPrivilege	5884	wmic.exe
Token: SeIncBasePriorityPrivilege	5884	wmic.exe
Token: SeCreatePagefilePrivilege	5884	wmic.exe
Token: SeBackupPrivilege	5884	wmic.exe
Token: SeRestorePrivilege	5884	wmic.exe
Token: SeShutdownPrivilege	5884	wmic.exe
Token: SeDebugPrivilege	5884	wmic.exe
Token: SeSystemEnvironmentPrivilege	5884	wmic.exe
Token: SeRemoteShutdownPrivilege	5884	wmic.exe
Token: SeUndockPrivilege	5884	wmic.exe
Token: SeManageVolumePrivilege	5884	wmic.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
4092	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe
3932	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 856	4092	msedge.exe	84
PID 4092 wrote to memory of 856	4092	msedge.exe	84
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 2424	4092	msedge.exe	85
PID 4092 wrote to memory of 940	4092	msedge.exe	86
PID 4092 wrote to memory of 940	4092	msedge.exe	86
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87
PID 4092 wrote to memory of 1412	4092	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/uHQqfNQf33j
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc04f346f8,0x7ffc04f34708,0x7ffc04f34718
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5844
- C:\Users\Admin\Downloads\Sha Executor V2.exe
  "C:\Users\Admin\Downloads\Sha Executor V2.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Sha Executor V2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5620
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5884
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5976
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,12370496505937036965,8512304853538949641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5652

C:\Users\Admin\Downloads\Sha Executor V2.exe
"C:\Users\Admin\Downloads\Sha Executor V2.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5680
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Sha Executor V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5544
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5640
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3356
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5628
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5848

C:\Users\Admin\Downloads\Sha Executor V2.exe
"C:\Users\Admin\Downloads\Sha Executor V2.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5796
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Sha Executor V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4692
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1608
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5892
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932

C:\Users\Admin\Downloads\Sha Executor V2.exe
"C:\Users\Admin\Downloads\Sha Executor V2.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:5524
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Sha Executor V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:5896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:5836
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5132
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5716
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  PID:1192
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5136

C:\Users\Admin\Downloads\Sha Executor V2.exe
"C:\Users\Admin\Downloads\Sha Executor V2.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:1708
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Sha Executor V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:5952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4532
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\j1mXC.scr:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sha Executor V2.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ea3976f-1994-4164-9bf3-6b94794fb222.tmp

Filesize
5KB

MD5
7c74c6dc7b670d4e9d75ad01a45672b2

SHA1
0f12c3f0b5707d9dfa7000854d4a2aae85fdcd5d

SHA256
db9168b2eca07baafeef0329a2225e5d73d961e7d873fc7dfe19601f06a34194

SHA512
2d6c619da8982a698043d7a7198576cc76dd5c1aaf6ed4a9e9d3e13814f7ef40e3e7e0a4687b2d355e752c176b07795c2bdb495339da2ff50c72dbeb84a1a91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ff207e38ed24d4309d3a0e7f3e3990c0

SHA1
a7848db84db7023ab6dfd7699c583c84b10dee04

SHA256
ace35edcb687026ac0dd17686abaceec294d4528cb2ebe65cf578875317cdddb

SHA512
079380476f3a95a18f239be2a513f9e5de90c9c189a5a421825e2ecd3f9e3ed084835cac224644a4aa1fbf6c405cf3e08ebb9e7f04e8d3785de46d061bd73c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
78aa442ecb242c8c8a9034bb0aaa821e

SHA1
8dda5ef0e0f7dcc093188da4b672cab30be70a69

SHA256
5efed5e74732c82f5ca154c8280f73fb75bcdb04b3dcbf3e091cee8eeeb98247

SHA512
6a4f53f3ef70ab069462fd6c5b1f2d12fc762798bcddacdd6e176ffe4bedbcd6226f4871d63a7c7cfb322a5b83bc2e84584d60fb95616c3503863aec91879e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
ebd9db70324955cc0006f34da3332db0

SHA1
cb61bc1e89d82afd15732401ac2007000bbd3329

SHA256
832d38481eb59c76e402194a34175a5955f2d25e3f23d1f6b93bbab680690000

SHA512
fd1a772238587fd1050ceb53090e40df5bdc2be44d3225e0efae407d2a2b8b829ed0d90619a8458f14dc8dbc28044c0cbc54d9f847d15a723d83002c3f4c9a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
c0a4dae27a8df8455bfd806396262799

SHA1
65c7ba44968272da6cc4b7f2a6a85c6646879248

SHA256
cbd21241f87a2c13351375baee2db41912e782967049cde1bf0ab3b75e756d84

SHA512
0c0f1ef6ca649c7f4e99f96a23b04b02503a5a2c086bda1e41c0bd27231d2c0af7fb0065186d0ed78d17a6383825687747af710d9e42889c9c2159d60bfe0b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
860B

MD5
d11490563579bf961405bb3df81e46de

SHA1
6bc9ef0c62660ff8519d948042ec2752d775dd75

SHA256
79296fbda21e3badc4c9648f3fb66ea4a6826a2325d05870fec77d4e517a6fc6

SHA512
45de0edc80a7c8190656d4515f500b27f2b2e7ae68e3b2d298aa834c2f2d3b7c6f53700f33f49e79ed20938416412120abc82c77f932fa4b440c08997414c437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
20c96cc93ec2e60a4aebcfad179b9f09

SHA1
d52587c36f6d0b38f2ea53d34ce5249f3ab70b18

SHA256
28850076f39b3920107683720c2b713e9b35804c2648f8e530cd4931ddd4deef

SHA512
378381b1a1755fdf965ce04ffb8f2b7a3adcf9159d510b85b2beee9ac9d5edbe1c0c5635407e625c50038050acd7dff0252f12b6100976ac55f73ce0d33d1883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28b0b5d14e6780b798bfe5be7825dd24

SHA1
609825b76d5d357bd623d15e997009fb1956726b

SHA256
ad401fcdfac5b4c9a7afd57d7afa0fd10a259bc6778f6f12ed38f547a36755a5

SHA512
29bf661ce02e2a23f1f26f35b046928edf3de04db3090b878f2dfa7f3d5d85d8f8322ea8abcdf120293c32b8580e03accb6524b2fe87ace51486776d71e4c834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5227c3e01a9d5f31d76c101b29a1013

SHA1
d24f351554a6555c5d80cae33992561255c1b733

SHA256
94c2800c73841e032f3b2e8d5c23089534b21143aa2c1ceda81c81c74b93477f

SHA512
874c736324c571095c8938aa565d0fc7beca0085fc105b7a48a497512c053901add8e644545998713329c4fc9acfad4f7d4cab37fd662664d554cd8fbf32e925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b345fea0197e40cf2216b9698ce3fa62

SHA1
1a03f06963dc71f849356fb0b2e24f05e0e970d7

SHA256
8255a52eb698f6e3e0a05e8c820a0e950161b44140a291bcfb1d462244ad450e

SHA512
bd05a9dd6fbacc348c47dac7d33ac626b0184341bb0aaa23d15e08611b4ca6bfb249f70f2197dedf91eb5c683a6c657c988c9150e57f0436fae5fbbb7e8e1955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7f2aa01a2e0b7b66b4a4a84e7edc1f5f

SHA1
9a105542964dd98e64f8bd07816481354fa7a858

SHA256
bcbe0b95220f38603076b6e25ed9ab4174a349289307b7bdbd8e3aa26be8b23b

SHA512
e1b048f2e5694f1c431f7012e78581be4c4568f80e8724c146affd64eba54bcc00fd53dfcb2b6464cbc7d0807340951d03c3367ea630c7bdbd7d8279f3d395b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
186239dff288e01c4b47fdb3120797f7

SHA1
357b0ce9beac6707d851e3da7bba93e4d29daf04

SHA256
b0f48008e50daafad22fb835648c9ac97ab942cebf2aec16b02a93ac1fd1f994

SHA512
ac9327c729150a1eac9b0cc68c0eeb2f79f1b7144d1464c31a782cf42fda4d97af6a0400a20b91f5be8af825a72bdb6d463af16f5766a2486f78c8e3f3401b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c41224ab6e2a713aff7b0128890716be

SHA1
b3525f9c3f583284b084fb88ae14a803fad84e04

SHA256
ee0f2a4ee399ef57c54d83bd611d11fb22ce2edc405db819a2a371b8a5192fd2

SHA512
25c71ac3f2ee6b0ccadd7549b7d8a42a964d0305d8758dfae53ce78eeaf52432380715ff545d95645e0e00d3b3b6c678f17eb16b2e9606d64988ffde82dfbc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddd1b6966b6a80ae1ae877610f49d5e0

SHA1
a2223163983cb076089d6e833252746ce36e9677

SHA256
4955439b16b4826ea213ee9dc36de5603e26454ebab257dae96f3b132422dfc8

SHA512
372e6161d83f60e6b250b3df73816b00b9b5154b7a3522735567261f84a6d45da8c9900d4293ab04877210800da68024a566593aa514f0d287b1aafd2b88787e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
07d142044fb78e359c794180a9c6fdff

SHA1
8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

SHA256
2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

SHA512
356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5e2fd95470c50743ba121fd6bd03a7b

SHA1
75545ed499d9dde51a1fc1cf535eb4f50ec79250

SHA256
d9c961aaf784b9ce81b0a3aac7a39bd41e9f2702d9c28deb20e786d385b88288

SHA512
76bdc793f8b38f603b5ad0957474660bb09e963a2496564b8ceac6591d532fc9498214b81c3908bafc13ff0b07028457c6c997998adfd2203304cb1c82899423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b2672ba4d7326dd814470f2937636a21

SHA1
771fbe89507cc7e6c3d89ae0e6d722833f884391

SHA256
116459924d16bad7a4b19b938cce3600865b21476594ee2fcf5a0e107b40c3f3

SHA512
d0ba982b27a5d7a0f0a4ceca448944c7e330a1817e4230e1e9880633be3d4173a63ca2b4bbc05bbbcc9053896888609eaa6b990117499ca7eadcfec0f7e2b635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4d5f16dff1c6c4bd78c48253f411da2

SHA1
0fb7366585572b2cf4144d169302ba21d8e71ac3

SHA256
360fe2bf9d46f0e6bb35c1b41ba0d70c5f10a1a9b42e29d9cafea37de5964133

SHA512
27cb84814bf84d0db623e68c06b6391e63d985d5fe77a9d6ca9093329fbe73da490bb9bef67fea667d2d03b1d42ed5b4591f9e72c281c15965d0765c019d4b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D7mCR7FeSoG3qr\Browsers\Cookies\Edge Cookies.txt

Filesize
691B

MD5
27bc4fe9254c10df56076500000ce6e9

SHA1
51a5661c51347eff75269c8afc7fbc6b491797bb

SHA256
0e5142b0cac2fb2cf3ebc7c6bf26c02bbb72a10462c763ce43b85e6bc61aeb3e

SHA512
f33bb8c874e55d5c1cc4021db34db6d8eb856d6f2ecf2bcd8d0d384394c4a510b9f37d4feadcdac744e866b88bb4f0ec6a7eab0d7e20f9f5a877062218466e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\8kXnr9kYr7ZNLhp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toi0emzb.3re.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axgle4gy2nwg2Fv

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\werBs3r01hjB2a7

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 891481.crdownload

Filesize
227KB

MD5
05794a97079226b97c0004407ba30117

SHA1
6d8035c43c90a36df0e6849270daff3e879c3acd

SHA256
77da62edb2b6fa92c2ca4a5230c034f3e67423fda0cca1d95c039295e7485ba2

SHA512
0c396873b6256b3a46aa4ea35e6191f6cfc3e33e9ee842fda30930e94e8a9b356dd58ce8b0d23d968dca979d66f9c7af8520546595963ee1c42f92c2bdc72d2b

Download Submit
memory/3604-129-0x000001C87E4F0000-0x000001C87E512000-memory.dmp

Filesize
136KB

Download
memory/3932-386-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-387-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-381-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-375-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-376-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-384-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-382-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-383-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-377-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/3932-385-0x00000250AF890000-0x00000250AF891000-memory.dmp

Filesize
4KB

Download
memory/5984-155-0x000001F06F150000-0x000001F06F1C6000-memory.dmp

Filesize
472KB

Download
memory/5984-128-0x000001F054A00000-0x000001F054A40000-memory.dmp

Filesize
256KB

Download
memory/5984-156-0x000001F06F1D0000-0x000001F06F220000-memory.dmp

Filesize
320KB

Download
memory/5984-158-0x000001F06EFA0000-0x000001F06EFBE000-memory.dmp

Filesize
120KB

Download
memory/5984-195-0x000001F06F120000-0x000001F06F132000-memory.dmp

Filesize
72KB

Download
memory/5984-194-0x000001F06F0F0000-0x000001F06F0FA000-memory.dmp

Filesize
40KB

Download