umbral | hxxps://gofile[.]io/d/UMIu1A

Analysis

max time kernel
122s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/UMIu1A

Score

10^/10

umbral credential_access discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/5836-154-0x00000186C75C0000-0x00000186C7600000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5136	powershell.exe
5616	powershell.exe
2368	powershell.exe
4460	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Emerald.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
87	discord.com
86	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6000	cmd.exe
5592	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5524	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{A9B0B881-6AB2-4F29-9687-820F1C6DB9AB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4492	msedge.exe
4492	msedge.exe
4660	identity_helper.exe
4660	identity_helper.exe
3564	msedge.exe
3564	msedge.exe
2800	msedge.exe
2800	msedge.exe
5836	Emerald.exe
5836	Emerald.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
5136	powershell.exe
5136	powershell.exe
5136	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
1416	powershell.exe
1416	powershell.exe
1416	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe
5708	Injector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5836	Emerald.exe
Token: SeIncreaseQuotaPrivilege	6044	wmic.exe
Token: SeSecurityPrivilege	6044	wmic.exe
Token: SeTakeOwnershipPrivilege	6044	wmic.exe
Token: SeLoadDriverPrivilege	6044	wmic.exe
Token: SeSystemProfilePrivilege	6044	wmic.exe
Token: SeSystemtimePrivilege	6044	wmic.exe
Token: SeProfSingleProcessPrivilege	6044	wmic.exe
Token: SeIncBasePriorityPrivilege	6044	wmic.exe
Token: SeCreatePagefilePrivilege	6044	wmic.exe
Token: SeBackupPrivilege	6044	wmic.exe
Token: SeRestorePrivilege	6044	wmic.exe
Token: SeShutdownPrivilege	6044	wmic.exe
Token: SeDebugPrivilege	6044	wmic.exe
Token: SeSystemEnvironmentPrivilege	6044	wmic.exe
Token: SeRemoteShutdownPrivilege	6044	wmic.exe
Token: SeUndockPrivilege	6044	wmic.exe
Token: SeManageVolumePrivilege	6044	wmic.exe
Token: 33	6044	wmic.exe
Token: 34	6044	wmic.exe
Token: 35	6044	wmic.exe
Token: 36	6044	wmic.exe
Token: SeIncreaseQuotaPrivilege	6044	wmic.exe
Token: SeSecurityPrivilege	6044	wmic.exe
Token: SeTakeOwnershipPrivilege	6044	wmic.exe
Token: SeLoadDriverPrivilege	6044	wmic.exe
Token: SeSystemProfilePrivilege	6044	wmic.exe
Token: SeSystemtimePrivilege	6044	wmic.exe
Token: SeProfSingleProcessPrivilege	6044	wmic.exe
Token: SeIncBasePriorityPrivilege	6044	wmic.exe
Token: SeCreatePagefilePrivilege	6044	wmic.exe
Token: SeBackupPrivilege	6044	wmic.exe
Token: SeRestorePrivilege	6044	wmic.exe
Token: SeShutdownPrivilege	6044	wmic.exe
Token: SeDebugPrivilege	6044	wmic.exe
Token: SeSystemEnvironmentPrivilege	6044	wmic.exe
Token: SeRemoteShutdownPrivilege	6044	wmic.exe
Token: SeUndockPrivilege	6044	wmic.exe
Token: SeManageVolumePrivilege	6044	wmic.exe
Token: 33	6044	wmic.exe
Token: 34	6044	wmic.exe
Token: 35	6044	wmic.exe
Token: 36	6044	wmic.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	5136	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	wmic.exe
Token: SeSecurityPrivilege	5448	wmic.exe
Token: SeTakeOwnershipPrivilege	5448	wmic.exe
Token: SeLoadDriverPrivilege	5448	wmic.exe
Token: SeSystemProfilePrivilege	5448	wmic.exe
Token: SeSystemtimePrivilege	5448	wmic.exe
Token: SeProfSingleProcessPrivilege	5448	wmic.exe
Token: SeIncBasePriorityPrivilege	5448	wmic.exe
Token: SeCreatePagefilePrivilege	5448	wmic.exe
Token: SeBackupPrivilege	5448	wmic.exe
Token: SeRestorePrivilege	5448	wmic.exe
Token: SeShutdownPrivilege	5448	wmic.exe
Token: SeDebugPrivilege	5448	wmic.exe
Token: SeSystemEnvironmentPrivilege	5448	wmic.exe
Token: SeRemoteShutdownPrivilege	5448	wmic.exe
Token: SeUndockPrivilege	5448	wmic.exe
Token: SeManageVolumePrivilege	5448	wmic.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 5084	4492	msedge.exe	83
PID 4492 wrote to memory of 5084	4492	msedge.exe	83
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 2936	4492	msedge.exe	84
PID 4492 wrote to memory of 4496	4492	msedge.exe	85
PID 4492 wrote to memory of 4496	4492	msedge.exe	85
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86
PID 4492 wrote to memory of 4316	4492	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6124	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/UMIu1A
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7b6546f8,0x7ffa7b654708,0x7ffa7b654718
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,5782099553400052574,16378955077976207259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7696 /prefetch:2
  2⤵
  PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Emerald.exe
"C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Emerald.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5836
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6044
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Emerald.exe"
  2⤵
  - Views/modifies file attributes
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Emerald.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3464
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5524
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Emerald.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6000
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5592

C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Injector.exe
"C:\Users\Admin\Downloads\Emerald X (1)\Emerald X\Injector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x2f8
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8e2e7684288c2cac5ba8e6641756c0b7

SHA1
054e84135408ce69031225391599b9a88db31aa1

SHA256
ee50e73d5c3881cf7ecf12a9f8762c2c15e727e16e681ae331454f0be9576596

SHA512
185c45a654e3ed432380cf52e9842528ddb7ccc4d77d184f327e07e5079c3c9a00b88a7f51a3b871ca61c0eaba4f42852cf54a9866333935a8695d57878a1413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
3bc85f335f7aeeba502b8f1f2b0e4b8d

SHA1
dff00575e5f9e36a481ea63de7091ba0e51b2458

SHA256
0a553c5d68cd6314fed68979ba98c64a9ec043ffc4c88b9218774581bbd2fad9

SHA512
44d8f96d33a58a0984d03cc5552f64cadc6246eb2146d6f79191954533b2968bae2d80962c271fa13bbdf3eccfc070df725e9bd5f4b074e620f6ba5c6d010c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
bf3db39dc490f23a95c76b0418bab286

SHA1
8bfef8ce9a2802e80ba1a19d13870aeb85a80791

SHA256
77d35f5021635d97da4ce989642756c553252c23e7b5bc15f47f67c373f60a95

SHA512
d852a67032de91cf5fd97e8ef72d1fad6ffedad438e18e806c862418932c82d4155d6f9c3e61b18dbd247c721dfad99f8e042160e31b3083f2a4fb0dae8b66d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
509B

MD5
cd69f201c8c61c32cf627ee27264fa1b

SHA1
944d388a06f8671271877ab89580dcd42e83dddd

SHA256
9c07c7dd11d505c972131fdaffe8a6a3f2deff88f2455bb2f7f4c2cf8b6d4c93

SHA512
b1ed98f25df3d113f72386b07fff950ef84a01145d8036bcf6c69d7c849db142f0622f89714c60ec90e99cb2ccf3380ca1fe2941916e5c05ea8751121c6825ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
999B

MD5
0d2c92c1fb0604112aea9ba2bac3b230

SHA1
1463212fa46cef53fc39ecdd08681a0a927a7571

SHA256
4839ef4e3038330e3efd09a8dae0dd5a17a4838130575a10a3f96c9eeea2caf4

SHA512
e8f5fe8d68ff81343f32ab9b2c81009c602828fcfef4586c3116b694aea224ad915747ab83b08ee2d9502e438e2fa87006489d28c8bc13530bd739b15cc1830c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
999B

MD5
0bb76a1738e2beb931f0904fd3b9252f

SHA1
ef6282a92752c6eb122fdcf26e3cc41ebf27c570

SHA256
361727bdba3fbc67b2d17c4cd9fbe920edf47be4858e2d6849fdb5be51a7d167

SHA512
af951c41bec5182f4ea73f6b5627b26e1048bb936429c28d292bcde84164d2022154d7df3ab78482aef08ecfa6afeae9b4327d3f576b0df93622ece4c6b52a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8b659fcf7b32e012b4f81e66b57f6ac

SHA1
cc1f81ae7c4576ab0b6d4a5d3415a8b8c645c61d

SHA256
ee81df12e76855af0eb937da3247e12b1d32195d03d14a8067f3ed9a3948c213

SHA512
0228df489e7eaf5a9eccad1ef4b6ed44effe81012c15b76b0b031d8a41fd0f77cac4718035e4b0370c0d19fd163b4596101f3ee0b4abd33fafe98cabee307898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccb53043f3801567a4e86df5b6a16d42

SHA1
437fef53a761ced1902848ccfa37a3843404b3ea

SHA256
9b901da90113db08d87f4ca41201b45656b046d1ac5d7f17a9430f824952d196

SHA512
6e33d4be1b3c6fd73bd630465e40a21131a20743239d8d963f2ed3e0ad2708757f0fada9b3546da42f69bba67552a7643d46b42b821a7b4398eef6ce195751a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
412ef64a68757d2394783856e7235bb3

SHA1
177999f6c1029ac2bd51651a2b797fc712253519

SHA256
40f79994198d29e8165a59e67fe7b713f8237256e9424c4505ed0c5c35a95100

SHA512
5ee86328ec6e76d9c569e6b059b6c38ba101e87edcb3554a5b87c4cfa65f5482aa6efc3aa27151a8fd112879d4d67a25e022d49fdf71253262da94837c52306f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7adf5bc69e76198ac47724dc3de73276

SHA1
65189ab0a2117b2c87a89721a78b694978d2192e

SHA256
9473fcb833d2d5b2106f46b5280322650ecafe3ed00cec37b8679e542240b368

SHA512
d0477acd12b1950c153a497f8bd17eaf047ab03e7048a12d30b730b679582e24954ffd9ad0b4297c665f1614c85ce38dae0e1f1481522983ca0dff6d15ff9709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9006eb6a09551816195eece551e94781

SHA1
43c666619accdb7f956998c978ef27d746b44523

SHA256
39c731596fa14e1cfa163f3cbc79f35c314792cafcb93eef46ca8fa500c45c50

SHA512
474f31025e1763aa8e0fc76aca3c8ff5c5d0d8ee383259cc98abcc3aca4afe0047ffca6163bc2446ff543a9fcb705039c51d9562088bfa5f37f122e1d39e0b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e18bbb68838f1e89e19ab60fda3b68d5

SHA1
377b2061af6f3069d10dfcc1775d2898eeb3a7be

SHA256
2fe9ef00ee2d804f014808434086eee3be2b75356ce0a73ef04e486992407b6c

SHA512
d26e36e2bf125fc69eca4135f43acf99108a7782913207b372f571759df91bb8a03cd76335e8111e3b90c6316162cb98644e7b0c87a2f9872b06105ba97c975f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1d6e0c718b7c35a02da3b7081cd8449b

SHA1
f99a22b1c01d4074aecdb532e5a45537be1ef5e8

SHA256
efdf13949d1307128f1fad1c1b949074509bff9de990a85c48a5f9034b33178f

SHA512
b550342c839d7681984d460ee198453438637050b31902d52c1f0c7f76f7fd029bac815795ea09d3b1158d801eb11fb1a537b849bee0bd2e85b1c052224bec7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a4c1c1955be4462cacbe33ec39b4c03d

SHA1
4c852b597b0289ea13a112286307f86ac857b0ac

SHA256
66760bfb10055d2f634e41ab8d9ea9bc505754e107caf2feabe59f283b4180ad

SHA512
8f5033b4609ffa8f232f91175d890f30dd09c2a4766a96b1d6ba1fc69f6497ab63eeca8448bd3464b26bf507654e46966119dc654c292949fe8855de5ed9cb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c5f7f255731643b789b7d87cfd0e151a

SHA1
0fc8fe9a2e18a45ded99322ddf775ad79e866ada

SHA256
d1daff25d0b3985e3502c1fa363e32d6a748ad2db671c45602ac7d4f2ef86a4e

SHA512
65a19b2751e721f14cdcf47541ae879033d2702a220d30cf2a7a16052fd642f587599df0f872237ae1b4a9229bc6952e15b47eff7b8cf0ae0393a3435297af7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588102.TMP

Filesize
538B

MD5
cec0e1d48a713271e38df940b03db667

SHA1
b5693f82a3bfdcaaf8d8c3a489185312ab1c1db2

SHA256
9faef43c26157c46b4065e3d65e61a1cf360693846168a4f687f6a8d223461cf

SHA512
1789f2d4712071488b1060dd2d73cbe3cafa5ecde4e93891b41f0554f85793937f912d80800496196bc43f287826f2aa9b647bd6ce9933fb829da1d5ce3eb8fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e55fddbaf5a1c34a76186463929ae760

SHA1
4efbd48bea6c466b0af234254830fdc3f635c841

SHA256
ebe57e76d520739bcee80d57e2252b1b072fabb847e2e53a7bfb0f65a3046cb8

SHA512
8dc1c78a82af9be533422e6883bb1c79c20b6acd1d1867b9fa54a14725d1d642ecd98483e8fd721216d841bc426f0fed42ea88128e3c77a233eefbc9a65e9f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f474bf12bf75c659db1b833e740ff1a5

SHA1
c6bee35df5f27f159e87bdbd668ff0df7d91ac56

SHA256
9bcf1c23fefba0d7afaf4cb83236d6149d150846d5e3c9d163e1dba40fa69841

SHA512
02983924ca6b7e24523c2a18d7d9ed4cfba6a54f3375fa703e8618cfc8a885c03a9491ba50f77d06914f2196498b7b2c0e7843d63535da60a7c324943540e62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwjvsk13.klz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Emerald X.zip

Filesize
2.9MB

MD5
6d5e6bb315019834ad58da276fb2b4ee

SHA1
c3dfebcf3caf961c745a070c58a78dd5c30bd368

SHA256
6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed

SHA512
6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/4460-160-0x00000171CA610000-0x00000171CA632000-memory.dmp

Filesize
136KB

Download
memory/5836-184-0x00000186C7AC0000-0x00000186C7B10000-memory.dmp

Filesize
320KB

Download
memory/5836-182-0x00000186C7B50000-0x00000186C7BC6000-memory.dmp

Filesize
472KB

Download
memory/5836-186-0x00000186C94B0000-0x00000186C94CE000-memory.dmp

Filesize
120KB

Download
memory/5836-225-0x00000186C9490000-0x00000186C94A2000-memory.dmp

Filesize
72KB

Download
memory/5836-154-0x00000186C75C0000-0x00000186C7600000-memory.dmp

Filesize
256KB

Download
memory/5836-224-0x00000186C7AA0000-0x00000186C7AAA000-memory.dmp

Filesize
40KB

Download