umbral | hxxps://filelu[.]com/5y5vsq3mj8qx

Resubmissions

14-08-2024 11:50

240814-nzj3nsvfqm 10

14-08-2024 11:39

240814-nsk2dsvdjj 10

Analysis

max time kernel
176s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filelu.com/5y5vsq3mj8qx

Score

10^/10

umbral credential_access discovery execution persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1272582866076700683/3YAp1kS3z07b-DUifLY7yLJKkBCPPn9f8dqaRRUPaG9kzblUQIQF9ZwmIjGuUobhSw4K

https://discord.com/api/webhooks/1271643069317644288/Yi3JdjrXJ2C95angH0OndOPpWxWydgLtEZVOUV6s32Pf81SxCWBNaV19zjvPX6j0yW0O

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00090000000235ac-745.dat	family_umbral
behavioral1/memory/6132-747-0x000002734C110000-0x000002734C150000-memory.dmp	family_umbral
behavioral1/files/0x0009000000023416-846.dat	family_umbral
behavioral1/memory/5704-848-0x0000020458420000-0x0000020458460000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3604	powershell.exe
2896	powershell.exe
5776	powershell.exe
3984	powershell.exe
4540	powershell.exe
4568	powershell.exe
5676	powershell.exe
5292	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	update checker.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatecheckercitron.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronuh.exe	citronuh.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\citronyuh.exe	citronyuh.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

pid	Process
5996	7z2408-x64.exe
4180	7zG.exe
6132	update checker.exe
5704	updatecheckercitron.exe
5352	citronuh.exe
2660	citronuh.exe
2712	citronyuh.exe
6072	citronyuh.exe

Loads dropped DLL 64 IoCs

pid	Process
3476	Process not Found
3476	Process not Found
4180	7zG.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
2660	citronuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe
6072	citronyuh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\desktop.ini	7zG.exe
File opened for modification	C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\desktop.ini	7zG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
192	discord.com
193	discord.com
182	discord.com
183	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
201	api.ipify.org
202	api.ipify.org
213	api.ipify.org
174	ip-api.com
189	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000002340d-939.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4164	cmd.exe
4880	PING.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5984	wmic.exe
5916	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{F121D1BF-9585-4AAB-AA39-BD373D3B7BBB}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 43561.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4996	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4880	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
1772	msedge.exe
1772	msedge.exe
4424	identity_helper.exe
4424	identity_helper.exe
4952	msedge.exe
4952	msedge.exe
5888	msedge.exe
5888	msedge.exe
5460	msedge.exe
5460	msedge.exe
6084	msedge.exe
6084	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
6132	update checker.exe
6132	update checker.exe
5676	powershell.exe
5676	powershell.exe
5676	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
5704	updatecheckercitron.exe
5704	updatecheckercitron.exe
5292	powershell.exe
5292	powershell.exe
5292	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
5776	powershell.exe
5776	powershell.exe
5776	powershell.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4180	7zG.exe
Token: 35	4180	7zG.exe
Token: SeSecurityPrivilege	4180	7zG.exe
Token: SeSecurityPrivilege	4180	7zG.exe
Token: SeDebugPrivilege	6132	update checker.exe
Token: SeIncreaseQuotaPrivilege	4408	wmic.exe
Token: SeSecurityPrivilege	4408	wmic.exe
Token: SeTakeOwnershipPrivilege	4408	wmic.exe
Token: SeLoadDriverPrivilege	4408	wmic.exe
Token: SeSystemProfilePrivilege	4408	wmic.exe
Token: SeSystemtimePrivilege	4408	wmic.exe
Token: SeProfSingleProcessPrivilege	4408	wmic.exe
Token: SeIncBasePriorityPrivilege	4408	wmic.exe
Token: SeCreatePagefilePrivilege	4408	wmic.exe
Token: SeBackupPrivilege	4408	wmic.exe
Token: SeRestorePrivilege	4408	wmic.exe
Token: SeShutdownPrivilege	4408	wmic.exe
Token: SeDebugPrivilege	4408	wmic.exe
Token: SeSystemEnvironmentPrivilege	4408	wmic.exe
Token: SeRemoteShutdownPrivilege	4408	wmic.exe
Token: SeUndockPrivilege	4408	wmic.exe
Token: SeManageVolumePrivilege	4408	wmic.exe
Token: 33	4408	wmic.exe
Token: 34	4408	wmic.exe
Token: 35	4408	wmic.exe
Token: 36	4408	wmic.exe
Token: SeIncreaseQuotaPrivilege	4408	wmic.exe
Token: SeSecurityPrivilege	4408	wmic.exe
Token: SeTakeOwnershipPrivilege	4408	wmic.exe
Token: SeLoadDriverPrivilege	4408	wmic.exe
Token: SeSystemProfilePrivilege	4408	wmic.exe
Token: SeSystemtimePrivilege	4408	wmic.exe
Token: SeProfSingleProcessPrivilege	4408	wmic.exe
Token: SeIncBasePriorityPrivilege	4408	wmic.exe
Token: SeCreatePagefilePrivilege	4408	wmic.exe
Token: SeBackupPrivilege	4408	wmic.exe
Token: SeRestorePrivilege	4408	wmic.exe
Token: SeShutdownPrivilege	4408	wmic.exe
Token: SeDebugPrivilege	4408	wmic.exe
Token: SeSystemEnvironmentPrivilege	4408	wmic.exe
Token: SeRemoteShutdownPrivilege	4408	wmic.exe
Token: SeUndockPrivilege	4408	wmic.exe
Token: SeManageVolumePrivilege	4408	wmic.exe
Token: 33	4408	wmic.exe
Token: 34	4408	wmic.exe
Token: 35	4408	wmic.exe
Token: 36	4408	wmic.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeIncreaseQuotaPrivilege	1876	wmic.exe
Token: SeSecurityPrivilege	1876	wmic.exe
Token: SeTakeOwnershipPrivilege	1876	wmic.exe
Token: SeLoadDriverPrivilege	1876	wmic.exe
Token: SeSystemProfilePrivilege	1876	wmic.exe
Token: SeSystemtimePrivilege	1876	wmic.exe
Token: SeProfSingleProcessPrivilege	1876	wmic.exe
Token: SeIncBasePriorityPrivilege	1876	wmic.exe
Token: SeCreatePagefilePrivilege	1876	wmic.exe
Token: SeBackupPrivilege	1876	wmic.exe
Token: SeRestorePrivilege	1876	wmic.exe
Token: SeShutdownPrivilege	1876	wmic.exe
Token: SeDebugPrivilege	1876	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5996	7z2408-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1284	1772	msedge.exe	84
PID 1772 wrote to memory of 1284	1772	msedge.exe	84
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 400	1772	msedge.exe	85
PID 1772 wrote to memory of 468	1772	msedge.exe	86
PID 1772 wrote to memory of 468	1772	msedge.exe	86
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87
PID 1772 wrote to memory of 1436	1772	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5788	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filelu.com/5y5vsq3mj8qx
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe26cb46f8,0x7ffe26cb4708,0x7ffe26cb4718
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5888
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6590661363864155750,15594141981255563324,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6412 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\citrontoppest\" -spe -an -ai#7zMap21563:88:7zEvent6693
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe
"C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6132
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe"
  2⤵
  - Views/modifies file attributes
  PID:5788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5984
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4164
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4880

C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe
"C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5704
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:5320
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5284
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5916

C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
"C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
1⤵
- Executes dropped EXE
PID:5352
- C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe
  "C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4996

C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citronyuh.exe
"C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citronyuh.exe"
1⤵
- Executes dropped EXE
PID:2712
- C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citronyuh.exe
  "C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citronyuh.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d121e7195d22beace0cb381219d8cc88

SHA1
2d7c10095365eb86feb975eac7e7f8dbf391b4f0

SHA256
9792c5fc4887f3e6b54a0e0c90171dacaee62dc3431e59dbef095d4f7a0adb3f

SHA512
ce915ba70dc9b3f2685cf5f73ae955c822f208500ca262bddf0f25578408d8620abd0690b1b06e43284e62884e8dd6ad0f9cb12ca69398f87d66a276a9c6d086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
be6d51907ff84efc38c7d6782c8d1226

SHA1
a5781ced4ac3a54cd4854fcee611832113c393ff

SHA256
bd7e76a67897e6323e396a63aa9801c1e2d81f54258fa1a77da4c6d84dcfb4b3

SHA512
d55d5671ea8fab6f8deab05e31abf92f7fd6507404dd0b4816256d777fcd2bbd69388df75137becb3ee06368b9391f55042d44e5778f89d9b76d06c60e2d81ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
1c03214665f716c75ebd70ffba23fb68

SHA1
15a8afc5e257f0f3113128092b4b021df6f17f55

SHA256
a4f73f0023dd9f3b8dce7fbe6684c4f8fcc6e7c80222a0616049f241e0f559e8

SHA512
5952971f932873964261e28fe8ca99961ae5b2db07f4b7ea701cc9b0ed328b2cd3d0d1c3a2f7dce4f69d1ba8bcb4000abba38c1fbafb6e1e7e56aec88bc6e008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
fc1cab5fa61a7898650f4d3776349b83

SHA1
d2cb52ac6b6c7d99fb4421958371e585b8071536

SHA256
494c582791ae92db4417bc6e519418b8138b1a3b02a97c550f13aa52d5d4917b

SHA512
dd4c3bc106564c5c6f5ed4b9f1b9a2c934ee86010073ee3100ffad8f0bebda7c94418e974fe76486ed3076fd9aa075d23b1bbf84fd03a31bb494834860d61704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
7b6532bd7cae5957dd923cea07c10f01

SHA1
09933f4c62435e5c14b010354f769cbd142c02a2

SHA256
b59c191db4d496b52a0e6a410695cbb90f473f6d94c17763a2acc35bbf3db751

SHA512
e0ca450361925e8ee58191f5d3463fb06956cbb210bcb8b7aa390babfa7af5159481747046d8ae0beb03f1cc083fee34002d0ea9db4a40f0d8f94f5edd3e5fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d0b5765f140a637cc289721cbf3cde86

SHA1
9d5b572fc62832405fe75828dc519333c3e4b083

SHA256
9ef748eff778a3e38481e42b1a445430791fb886807c20189f3633e0ee91a1de

SHA512
3d6f3c7f6a04d85f05cb73925e2421fe5cca17f2c91944d6a904d82221e49d5a11b07e2cb6104819d977a570c76a3947d21b3a78150f04b7bbfe012909d898ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
cd025c4d4671e5bcf257a8be49cfe440

SHA1
f83a8626ad0c330425eb95ab0d0e58b551917e29

SHA256
9c963d758902cf93654862337073fdec5d6960fcc312c7d3b169d990c15c52b1

SHA512
178c9b0671cf3ec773fa56d8925106fa8c3b1d704e1aa1890f983de0af7c99100dc0815a96b1d0ad3fa33ea1086cfa9e2e1023ef5a977dc6043d7fc03b0cd33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93d430522dacd7c9c9675733a83b35ad

SHA1
5e7bc1fe5398058b50a055bf7199d20d01c8ef71

SHA256
9d33424fab74c97014981cb672703012cedebe2949d2a5c2e3e17f5c376ff087

SHA512
0082fcd055faf75762d83217242fdee6568af81df70b26b6d0540f32783b1dadf77350743a531d781049802842602312e5c7c086bfe056883e86c60669d38333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ad6aef21e8d4e41e606fd949b2e3cf97

SHA1
3d61f310421238a871d146c54e7790189d7ad807

SHA256
d36193ec7f8af34aca796dc6d06f28ae53b9e5fedfa742b1cc0123a928fa2dfb

SHA512
18bc380cc376cf51ef68c15182f9320888a27aef8e9d4e52c70a8c9770c292b82e1bdebaf6a53a6b15e0279291e53ee9052bd6eca10fd8d487b2286b41245398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bc128f061b1bf0a6f1c250fcc6094b0e

SHA1
6271a52a5ce56e0f9ab910ec8af558997f8fa46d

SHA256
6d7780d8bc94d9ef480d00ba579f5e4dc7e9a985ef241c8dfaf92dc20a5e515c

SHA512
b4dcec6e77eeb55d9f367a9557018dc3084bd393faa27b5cfbc26c3897ba0d075d0f2ca887579073796bc0b04415a767e8e93e1f24a906b112a88a9a4bd004bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7f8bfc58fc91a849cf850f4dadadca68

SHA1
fc30e2b9d34f0536c20ceace629a5cf4b2a2bd83

SHA256
f0cde9d92929699fc3664783c4d31fb4971ae78658aae21f6d242e5145047605

SHA512
8720a1f3ca4e82dd37d5948c2572e00ab3a99edd9dbec29ababdf4fe3f64413e5455e668511548182fff8db483bc3442815686b75f0dbfb9426f7b824e46d10c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
592ceb333a86d8209ffe6b8a31235813

SHA1
a8175f8fd76491996b01337376b1a74be1f29ce5

SHA256
8f5b5d7e23e0ff747bffae0116d190bfe480e1b2390001c0215351bbeeb6ea9f

SHA512
fe05910b82c8d24a85dd609cd750db414604a677ed9b865778521b4dc6e35960a4fe83a5d5f4206d7ef6b16b77393d65390223469731f7c73c7c7bf6559f8539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
731a722fe29cc4dbcaf5329b2037fde6

SHA1
c49d087d8dcf1a6db9533c89dc1642bfb46f842d

SHA256
740b5ae8ff43f2c268366826d862c9a2a9438f9f741e1fc9fbb01bf79a481166

SHA512
a08991a3f1b465376a72e672f3989751e3f46cf78fd7e7adbc160abcab178d9308b6c0fe6db50b54491f483bcfd005af4703e5c8874841823b5e042d8ba84eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4175eb546d1275677a48832de444d208

SHA1
4f13504c579654c52ee956ad4a11f9825e0600eb

SHA256
58815c413c03fe42ddf4741e29ec459a6c14b848afcc5283b0e700b3e91b5c84

SHA512
472eafbeef217fe68c691fd717971403e2f2bdd604909e8d80650acc4527cb38b9612640de6be6c4a825048b9a23c752990a2c10896f1cc3869b63c53e855873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d745.TMP

Filesize
705B

MD5
55feaee0fa8983d56aac27ca41ea62a5

SHA1
e3b24b4c20211c9ecd55228e0eeac69833853f82

SHA256
9745ca7b3fc307a4b3ec6831cd2d69f8c1fdfe7f44ef7dd28352e45328e95639

SHA512
e85d3eec7fa53ee1995b7399609dee8fdfd8569ea8e99c40299edceda7828d3bf44fd520acd46d3779db7a43fd176d64e830346484dd1a07d56b080ef3aff682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e34cda719ae23c086c6de521bed18c8d

SHA1
4806405107360100948607e4e31e53f8f934511e

SHA256
b530d9209cc4470cc860d351d55d1f9d4a6e2d6c07ca7a36fda85988dabfa9e2

SHA512
c2e7ff1fa3653a355e82c6102484e3120821779fc39f5b3f68ee86a43762c1f584b54c8385a641418cb72826e61c0a9a3a57b57c03651f15c75a4cc929dac0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ebe461d0dc8e274631bd28c21e46b5d0

SHA1
afc45a6bb67eb7f61e14be9abf9a44cec1e369c5

SHA256
8a92514f8b3a82255172fe81d0285da92414ff7f47b5783f76296cee609c4847

SHA512
30e48b7ce54a87c360e3df27140e1cf9ce6c93e7eddef5c11b3ea1c9c48fef700248d3593b1b0e41377206b1b7b6d947f91ccaf7168eb2e7bc65ace968e39d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
de1879d081b6dc79fe87a4444702e145

SHA1
fd9507a8597aa04a78f94f34247224f511496ce7

SHA256
64ccafff05d19888127fe340676b6f00ba47f0c6198cfe03689c8c9deca48239

SHA512
f01a64045eba0a53711a231cf12622b0b799d9f88a806e0c241bd07636c445d1d964fac2d82f14b971e5e2e849d66164361fda0457e1f437e135ff37f9cf40bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
56af674bf49218c7dea0ebc93fb00327

SHA1
a451c5d3ab5bf6f53082e9fe2f3a247ec420436c

SHA256
ecb964b5567fb21d1cf336508bfe4fac8a877c638a63158b09cbfe9666981ab5

SHA512
5ac1edfedd6b54815f6b1666716841296df7c0d1262c956fee5caf72d75d117573a2c05bfc4cefcbd68b6747f0aeaa0210ed8f8653615896b3f0610d71730424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
736626fa9fb9bd9558d1e3e09997f251

SHA1
85855b541c34acf7c937a54584fbfc9e73efbcc7

SHA256
e9a5adddb6d59595484a29216062feb1e18d7aa8b4e89b8d5a0ceb06399d53f3

SHA512
be1437dcb23013b4419f9f0068e924b84f4d5b322485d92e4b3a1c88b094bc6bcee042909c287e836dda77b024b31bee9512cb20ea005ba6dc1bbce33556c40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e136966aba3500e5d57bcfc57edb3be1

SHA1
3dc5f1c1888b68da52706fb5fb053a86d5ac4c8d

SHA256
55f1c311ffec50f6d364764298fcb3172f034ad47b32eea2941bdaab95e369b0

SHA512
118f09f6b0a690641abbae52d5e4fa71493553eadcaee9639e59d671ce64576709b3ec3d94e9cfd066f94774590f76de0796d503c73e432f0f3412f5a97aed81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92382908106bf04aac6575ae0e55073f

SHA1
b164dd606b60ada42fe843963f95e14e92d5d86a

SHA256
1332dc373efa610424b48ae9955247275f4f94cfeecec93a5121784ed8d6b3db

SHA512
d6ee3e3776f683b2a4eaf4fd92e2cd2b9412d85fb57556130d8cabf52e180fb17b5dcdfec9ccd0b3b80bed2816c0bd2d25de35580b859e7799b7cb61071edb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53522\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53522\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hryuuwev.psn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 43561.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 973871.crdownload

Filesize
20.1MB

MD5
5e131a86cd31956352cac58d98a275a7

SHA1
09acf0a4eb451fa3de4c7c7cee07ff3c0752a024

SHA256
15a4c6795003d2ab0a1bbc6adac777e776ba6d885b1cb5e4408992fa567b6506

SHA512
32c33c76c8782592de9615509bb0809f720d9980e79d757eb1b89f16929319a2206db31f941f88c8f6f86d753ff979c1070544d6fbc87298ca40fc2de0496c53

Download Submit
C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\citronuh.exe

Filesize
10.4MB

MD5
3d7eba8252505d427990ba538c281293

SHA1
673a164fb8c8e9526ef90b103d1514decbec3e43

SHA256
825bd8a21087e0a8eb45f9c0891f3258704667b137630387df17a17fd41635c2

SHA512
bf6035fb59e51e96592b321ff4502ffe37637b003417e37becc8e19b7326fef46cfc54d89b0a5d32084d67d1170f21032a9a71e565f51e2b0291a2f187c60613

Download Submit
C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\citrontoppest\updatechecker\updatecheckercitron.exe

Filesize
227KB

MD5
a6db1722b4ed09cd06fbdf6f80df47da

SHA1
1fe86fceb4884cb37c4187591ccecd7a4c4d9c15

SHA256
ed1deb13b32c20b6cd35d50351c78d3729315dac5da6f5795dae2c14bed8520b

SHA512
61542031f6f60fca814400c9ec21c0eefa15422646c30b5b3192231a4d5a5845681f7d619818fa0c7c448f860101790d7971c80aa90637e58956b33023079785

Download Submit
C:\Users\Admin\Downloads\citrontoppest\citrontoppest\citrontoppest\updatechecker\update checker.exe

Filesize
229KB

MD5
4167d5288d96609ea8905be4f94ccf47

SHA1
19740023f622de18b55ae9843be93c3c639a7d5b

SHA256
91119d0e0f25371a4edbe01be3732084c0020300b98050b5d966b338b0a1e4f7

SHA512
a7faa3f75cc2d4f3f6690b75ed7113671fb0aba636dc30308b255ba5ee655e37a8ffdbe646e9780c5b9bfecc877b2178be7bdac89ebdc8ef805c7a6810924cd3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/5676-753-0x000001D412B10000-0x000001D412B32000-memory.dmp

Filesize
136KB

Download
memory/5704-848-0x0000020458420000-0x0000020458460000-memory.dmp

Filesize
256KB

Download
memory/6132-819-0x0000027366830000-0x0000027366842000-memory.dmp

Filesize
72KB

Download
memory/6132-818-0x00000273665A0000-0x00000273665AA000-memory.dmp

Filesize
40KB

Download
memory/6132-779-0x0000027366560000-0x000002736657E000-memory.dmp

Filesize
120KB

Download
memory/6132-777-0x0000027366960000-0x00000273669B0000-memory.dmp

Filesize
320KB

Download
memory/6132-775-0x0000027366890000-0x0000027366906000-memory.dmp

Filesize
472KB

Download
memory/6132-747-0x000002734C110000-0x000002734C150000-memory.dmp

Filesize
256KB

Download