umbral | hxxps://mega[.]nz/file/uFoDARAA#jtvMkvKLduwPj2y_juqUnaG5_YLFwBx1HZUP90o_4c0

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/uFoDARAA#jtvMkvKLduwPj2y_juqUnaG5_YLFwBx1HZUP90o_4c0

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234e8-188.dat	family_umbral
behavioral1/memory/5624-202-0x0000028D6C330000-0x0000028D6C39C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5904	powershell.exe
1280	powershell.exe
3116	powershell.exe
3936	powershell.exe
6064	powershell.exe
1648	powershell.exe
6012	powershell.exe
4172	powershell.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.17.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	BootstrapperV1.17.exe

Executes dropped EXE 2 IoCs

pid	Process
5624	BootstrapperV1.17.exe
972	BootstrapperV1.17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
75	discord.com
82	discord.com
122	discord.com
123	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ip-api.com
119	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2748	cmd.exe
4464	PING.EXE
4560	cmd.exe
5908	PING.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3600	wmic.exe
4380	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.tmp	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\䵋䢭ﶣ羉ᾤ\ = "tmp_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\䰣頏섀阀.tmp\ = "tmp_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\.tmp\ = "tmp_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\䵋䢭ﶣ羉ᾤ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\䰣頏섀阀.tmp	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 349221.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\cK88H.scr\:SmartScreen:$DATA	BootstrapperV1.17.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 890323.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\K3IGA.scr\:SmartScreen:$DATA	BootstrapperV1.17.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5908	PING.EXE
4464	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
960	msedge.exe
960	msedge.exe
2316	msedge.exe
2316	msedge.exe
996	identity_helper.exe
996	identity_helper.exe
5420	msedge.exe
5420	msedge.exe
5624	BootstrapperV1.17.exe
5624	BootstrapperV1.17.exe
5904	powershell.exe
5904	powershell.exe
5904	powershell.exe
6064	powershell.exe
6064	powershell.exe
6064	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
5340	powershell.exe
5340	powershell.exe
5340	powershell.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
3060	msedge.exe
3060	msedge.exe
972	BootstrapperV1.17.exe
972	BootstrapperV1.17.exe
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe
3116	powershell.exe
3116	powershell.exe
3116	powershell.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe
5848	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
756	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	708	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	708	AUDIODG.EXE
Token: SeDebugPrivilege	5624	BootstrapperV1.17.exe
Token: SeIncreaseQuotaPrivilege	5772	wmic.exe
Token: SeSecurityPrivilege	5772	wmic.exe
Token: SeTakeOwnershipPrivilege	5772	wmic.exe
Token: SeLoadDriverPrivilege	5772	wmic.exe
Token: SeSystemProfilePrivilege	5772	wmic.exe
Token: SeSystemtimePrivilege	5772	wmic.exe
Token: SeProfSingleProcessPrivilege	5772	wmic.exe
Token: SeIncBasePriorityPrivilege	5772	wmic.exe
Token: SeCreatePagefilePrivilege	5772	wmic.exe
Token: SeBackupPrivilege	5772	wmic.exe
Token: SeRestorePrivilege	5772	wmic.exe
Token: SeShutdownPrivilege	5772	wmic.exe
Token: SeDebugPrivilege	5772	wmic.exe
Token: SeSystemEnvironmentPrivilege	5772	wmic.exe
Token: SeRemoteShutdownPrivilege	5772	wmic.exe
Token: SeUndockPrivilege	5772	wmic.exe
Token: SeManageVolumePrivilege	5772	wmic.exe
Token: 33	5772	wmic.exe
Token: 34	5772	wmic.exe
Token: 35	5772	wmic.exe
Token: 36	5772	wmic.exe
Token: SeIncreaseQuotaPrivilege	5772	wmic.exe
Token: SeSecurityPrivilege	5772	wmic.exe
Token: SeTakeOwnershipPrivilege	5772	wmic.exe
Token: SeLoadDriverPrivilege	5772	wmic.exe
Token: SeSystemProfilePrivilege	5772	wmic.exe
Token: SeSystemtimePrivilege	5772	wmic.exe
Token: SeProfSingleProcessPrivilege	5772	wmic.exe
Token: SeIncBasePriorityPrivilege	5772	wmic.exe
Token: SeCreatePagefilePrivilege	5772	wmic.exe
Token: SeBackupPrivilege	5772	wmic.exe
Token: SeRestorePrivilege	5772	wmic.exe
Token: SeShutdownPrivilege	5772	wmic.exe
Token: SeDebugPrivilege	5772	wmic.exe
Token: SeSystemEnvironmentPrivilege	5772	wmic.exe
Token: SeRemoteShutdownPrivilege	5772	wmic.exe
Token: SeUndockPrivilege	5772	wmic.exe
Token: SeManageVolumePrivilege	5772	wmic.exe
Token: 33	5772	wmic.exe
Token: 34	5772	wmic.exe
Token: 35	5772	wmic.exe
Token: 36	5772	wmic.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	6064	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	5340	powershell.exe
Token: SeIncreaseQuotaPrivilege	5536	wmic.exe
Token: SeSecurityPrivilege	5536	wmic.exe
Token: SeTakeOwnershipPrivilege	5536	wmic.exe
Token: SeLoadDriverPrivilege	5536	wmic.exe
Token: SeSystemProfilePrivilege	5536	wmic.exe
Token: SeSystemtimePrivilege	5536	wmic.exe
Token: SeProfSingleProcessPrivilege	5536	wmic.exe
Token: SeIncBasePriorityPrivilege	5536	wmic.exe
Token: SeCreatePagefilePrivilege	5536	wmic.exe
Token: SeBackupPrivilege	5536	wmic.exe
Token: SeRestorePrivilege	5536	wmic.exe
Token: SeShutdownPrivilege	5536	wmic.exe
Token: SeDebugPrivilege	5536	wmic.exe
Token: SeSystemEnvironmentPrivilege	5536	wmic.exe
Token: SeRemoteShutdownPrivilege	5536	wmic.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe
756	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4412	2316	msedge.exe	86
PID 2316 wrote to memory of 4412	2316	msedge.exe	86
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 3256	2316	msedge.exe	87
PID 2316 wrote to memory of 960	2316	msedge.exe	88
PID 2316 wrote to memory of 960	2316	msedge.exe	88
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89
PID 2316 wrote to memory of 452	2316	msedge.exe	89

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5852	attrib.exe
2268	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/uFoDARAA#jtvMkvKLduwPj2y_juqUnaG5_YLFwBx1HZUP90o_4c0
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b2d46f8,0x7ff82b2d4708,0x7ff82b2d4718
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7984091742434640309,7681332598927405039,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5576

C:\Users\Admin\Downloads\BootstrapperV1.17.exe
"C:\Users\Admin\Downloads\BootstrapperV1.17.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5624
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5772
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.17.exe"
  2⤵
  - Views/modifies file attributes
  PID:5852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5340
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5812
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6012
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3600
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.17.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2748
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:756
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\0d6d00c8-1de0-4057-91a3-40a877e8f5ab.tmp
  2⤵
  PID:2276

C:\Users\Admin\Downloads\BootstrapperV1.17.exe
"C:\Users\Admin\Downloads\BootstrapperV1.17.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:972
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2196
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\BootstrapperV1.17.exe"
  2⤵
  - Views/modifies file attributes
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BootstrapperV1.17.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5232
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2364
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4380
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\BootstrapperV1.17.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4560
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperV1.17.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
09c38bf09493920e93b25f37f1ae4efe

SHA1
42e5d800056f08481870c4ca2d0d48181ca8edc8

SHA256
37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

SHA512
91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
42KB

MD5
95f39fbf8052f75e9a1757c42cc6bfa2

SHA1
8d0820e47401c569d40b5de60d3a0113d6083b42

SHA256
aefae082c0a14c6c7e01bb7f07117997e1cf77ebc80d6ca4ba901e097452a4a4

SHA512
db0a2a06097baa437e6c2ab63f55da7da9cdfdb32663766f4067fed7c17a94b0bb25d296da485c44ab31646a77fc94e3344a79ce65df55b4f6ad6c635c1ecb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
98fe34b848c79a9ef6d2caa49c699cd4

SHA1
29e702be9ff70c9d72d1d246d8c4c5a33010ea90

SHA256
c6ddd3a2aa07545f7ae731176ca639b25384288b9dfee510378835f262f48a5a

SHA512
2d578d39a4f55fdca95c80426bfcaf423e03476d01143667943ae19438863ebe35fab0dc75b67be7af92cca6c3a4f8cdad683f98e4ff753a5972f2fa22089e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
44ad738a5863e3be792c7a94cecb6710

SHA1
36cbcac77a7047f6a0ab497bcf198c7d99b4c2a2

SHA256
c15029cfef6e8a6003b892265ec42c839d9c4ebf46520cd463c3362cb151f6c4

SHA512
e6ab9f2634e18f45a5316f744fa27a47951f204d8f84bf56ca8504597163992ff466291843814775dd28941f3af0f065f2c60eefae6272a97ffa690e150f1321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
66b163d5a7012935fcffb456ca64508a

SHA1
2d8c04bcf02f2fadcd76ea4e1e2327410f19d824

SHA256
04f470d7b3ae7d0d4deec3a31694ad115b96f0f5b1ee5e4465bfe3bce55c48da

SHA512
930cabdae68316788e46b62a323d3240ef8a33c8728ee979919104c0f494c63d8144ef0eee1fdb3d3de81fcd1a0d92f7c2a1589f9fa60713e35e164bd600f88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
105B

MD5
66f8dd72513b99b659f5e96ad284fa79

SHA1
7b366941103b7ea4d48cc4938b8fcbd4533a7bd4

SHA256
6bf4fb19d63e66a4f6dba1efd2439bc73ca21670030550a5682b323fdcac2176

SHA512
aa7710ad8714c96f975645acd0cf2a9613b320210ba3457039f85f1291af965c1e5fbe63f85576eaf36e3aed652f9c385b5a188565d4bb18f3e1b42f6e4d44a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
176B

MD5
60e2d8715b5bddf19149c93f9bea2abd

SHA1
634c57995fe299faf59da6f288cd87538e287e46

SHA256
e7e2e9029760d1b02048f491b3eb8958b3dd3562a28086a54c10874b5b379714

SHA512
d7cbc82d56bebe1168ea1e11283d65e18fbfbbe1e36cbadb25f96df7c577330256a167193166a50789e3aa1aa723f7c31f6cd62283fa38c1c64549765358b975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10d265723d5e86e68a4294899625c66e

SHA1
782851f8486202c3bc40f22da4359432c8a70cbc

SHA256
a340ae5f6b248010406cc291b5e3493356f661d7fc672437b982fbe98aa782e2

SHA512
a40ce3549a3aabbc4248e083f588e46898a83495f9bbf48b5479288c71543ecc486fbe9cfe733c65ffa8a5576c2aa17efd30f2edddd27f68a0b57211d75e6820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ce6925217e8755aca78d33205d6d39f

SHA1
e5bb9d7a8950689ed7c134b30cfaabc827473ddf

SHA256
a4fc79909f30eb5d691b442f88d6d29dfb03024e9455c9d800a060b1db1f248a

SHA512
2fe07e9816323d09279bf0076c6060e004b70e6058a1431cfd443a4dcf34a5d5e86f25ccbbfdc6f2900a6a5cc10b6263a4b4e09c840e72991377ddafc84416cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
243cbc4f4222654a781bf5a384c08f53

SHA1
cf7e7e298125700bf7cdce480825728b6c4ce169

SHA256
d96252da9171d2dfc7adfa3ac1f998407e185ba0bb64c18e77906af8777e9011

SHA512
bbca64364a4a52b29a2f30eb3d6980e11309ecbb5a07a8508f3c0475662728fb5b0ef9596335d719fcfca9480b95f31c9cdea1087bee9addc5ddb58fd428b7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3821f4f7ee014d06afb6d945a8272305

SHA1
00165e5b2a6ea7a9023c1f42aeff82b0de1b9dd2

SHA256
d1a6f1c7bfda0fda716cb579709e3da889f6cb809d4a471990d03fcbca29e51c

SHA512
bf75e9f2cafc43d0541e9662a378eff897e8301631c734d18afcccb3a8edd3b49384b5f41e20dd066faa220449fafaa6eda479b08c83e5722d207095c3c55cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e61c1a197d647a116d21ea9ac71f31fa

SHA1
2b1646028a7d84666ea023b4d20569ae405816ff

SHA256
3863a44dc17838f346ba566246c71dea5e3cb5b1c9064b436e199265a8412d78

SHA512
72053ea723da9ebda2ca741bc8854dc6435e64231e103d6c6b976b895eee8d6523920cf1430b9707c347129dd8b9daa861287efe64288c112d64c37f04e99d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5830ee.TMP

Filesize
48B

MD5
86d8926826202546d08c008650261edb

SHA1
3eb32c70b6fecd9428d2c07bfaf310ac50cb240e

SHA256
451d3ad97c699a050404c9db07a694575e9e73a4b548cb18a3b1df84a8c5659c

SHA512
97a2df7e0e78ebee803198800921bf11f4c7ad70842dad8c3c6a55e126cc2a9d02bb2e032102cc12f024805fe9b3eca92a141f8c9e9a37447baeeba27364668f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
44abc7a58f22146328e23b8702e40f53

SHA1
2f5c2c946e6f11e73601aeee26d2c4d626c450e6

SHA256
73c7a00b9bed9fa21eaba1ca543eb8be8385a912c98434cd234477387a06f76f

SHA512
57124c5fc4331c811768f66773e2454c2a87560cf39e0284d08b113ef852d76eec36ad207d54eed60563366b82bb7843a997a258026e50227e47de0536fa81ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591d33.TMP

Filesize
203B

MD5
53e2dad4999233d30b82184935852759

SHA1
fd417f4fb602242f1bcf40a4be2cfa78464d2d2d

SHA256
2f611343945ca88de9b5c354309801ecfb330ecfc93472e736ded05beb079c86

SHA512
e2d4828ee2e5961410029d538987a8d5588c27a1c86b9be1621b5f2bc0ad7bcdd86254fb53cc16f4dfc8eea10f017bfb9030978bc793a2965d0e7dc80b94b2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b250c68f849816b1063494fcd6861f93

SHA1
580b25944a61af8cf664826b1bd60b8aba6f3ab2

SHA256
e1cc377e79e6a440b5fcb5f074eb5b6a6522e12f961f7692b0ed80cd455f5c72

SHA512
6b39cb1071f9c5e44162da15eeaf82674453f0832af809138b216258fe8754ac8339b5ce14e911e5f2f27b93cc21d84f3895334c9ef932dd993b9971126b4f01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e1ffb46fe94dd009d7fd37f09a0c6ba

SHA1
737c24afff0bf1d0cbed37bfd94432f8f1ab2627

SHA256
28ce0520567ff089f2c18508d46adf4ac9f6ee8b276db2311406f3c00a7a26fa

SHA512
360727a96c088603166818e3e7f6963cc563435d5b978e7acba13181b511529ddd6e69963fcd770409e03ce1e7bb32e57e23dcf8bc9f94529a08ddd40e3a996f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4a74ffa6580151ce5d981808381b08b0

SHA1
a9a26c3491e7315d939fe0e47d13aa201749d628

SHA256
f17a3b14055471cef82f8094b1859c07387e161ff9296d7630d736d30838b7e7

SHA512
ea2d5e49f98cf453562a9959342dd8256240ffb1653b340039d72b855cc4bf70777181afc9be45849241185e3d02f85e4ba9ce9f778413cc84ffe4b74281f61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
574c2b0c2adc099c706180fe7eb91717

SHA1
dce61bee0206bc54a29be20144d33eb9ca851c91

SHA256
e0c7423d44b5f8fa2d7a9ee94536db4381b00cf7d8be8a5fa7dc7e285fd6dadc

SHA512
b45afedc5408574bf0a8d28696a474ff192d4db0fde96598779dec25eb406bca1680dc0da9292d95999f554e69808a5ebb2acba83a65bbd7316b74ba32fbfd46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08e5bd114f0e49be95c2d1885d445aa3

SHA1
46a0272e49ff4f6193884ebdacf789ab900bdf69

SHA256
fa96d77b59535e62bb555d3d3450ae516b25b6d7f2eaeac837015ba1a351618a

SHA512
f394a12a236a5d9133f6faa0987d6d6048a44213ec4f727cb9336d743491838c52bb23b99c95b2926093ec98d249657eb8b35ac3f2447810b4efd188d0fe0cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b0dc7c3718882fe730dbbc1b681bfc49

SHA1
03a9c793855b3fc4a82d48a70841ab547cfb9943

SHA256
05b199d4f0d7025646593db4f3d2a22a44e4e64438668d34ec6a3a31afe249bb

SHA512
c927720f5387ba226136b57bce9fb7f37917478d42a466aa9b175561bb5aae6837f82b3b45a3b285460cecffd40742302ce607c58dea83b8a8704eef783c9601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf1b06b44fb8bc1a4f25c85e70937782

SHA1
c4adeae41a97fc11d407c398040dd109873fb2e5

SHA256
04ddc18714503a6c256830af58a731df9d9ad479e87663787e0fa92424c9b743

SHA512
07fcfc741b14ef3551fdc53a08e31020fd9e1d43ab637535a11e318c9f8d48ea37cae3913539838e74299952a868a7824982ad5dc887992686d45050cc1fc7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgq0xoow.mwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\BootstrapperV1.17.exe

Filesize
406KB

MD5
e550a99ab769908b93aa428a4906272c

SHA1
fc159284f9a9a591dc869e800e8ed7d9d64681e7

SHA256
459240cbe0b667358ebce8e635eaa0ca6695e70e116a04fb6a7e70c3f1024726

SHA512
418dd34a86de1826f09185998a3a65c4d79198f14bbe31761d5ba4d2135c2be7a72155df245b278a4581bd23b6461e47233aeb87ee84527846d1fbc33751a533

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/5624-272-0x0000028D6E050000-0x0000028D6E062000-memory.dmp

Filesize
72KB

Download
memory/5624-271-0x0000028D6E000000-0x0000028D6E00A000-memory.dmp

Filesize
40KB

Download
memory/5624-235-0x0000028D6DFE0000-0x0000028D6DFFE000-memory.dmp

Filesize
120KB

Download
memory/5624-233-0x0000028D6EB10000-0x0000028D6EB60000-memory.dmp

Filesize
320KB

Download
memory/5624-231-0x0000028D6EB90000-0x0000028D6EC06000-memory.dmp

Filesize
472KB

Download
memory/5624-202-0x0000028D6C330000-0x0000028D6C39C000-memory.dmp

Filesize
432KB

Download
memory/5904-212-0x00000267B6370000-0x00000267B6392000-memory.dmp

Filesize
136KB

Download