umbral | hxxps://gofile[.]io/d/3zoNFR

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/3zoNFR

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234c7-74.dat	family_umbral
behavioral1/memory/4488-109-0x0000012AB0050000-0x0000012AB0090000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4884	powershell.exe
2988	powershell.exe
4428	powershell.exe
2672	powershell.exe
3324	powershell.exe
112	powershell.exe
1372	powershell.exe
2116	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skibidetoilet.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	skibidetoilet.exe

Executes dropped EXE 3 IoCs

pid	Process
4488	skibidetoilet.exe
2672	skibidetoilet.exe
3564	skibidetoilet.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
58	discord.com
59	discord.com
81	discord.com
82	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ip-api.com
78	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5084	cmd.exe
2456	PING.EXE
4952	cmd.exe
3820	PING.EXE

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5052	wmic.exe
1532	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 875403.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\nx6rh.scr\:SmartScreen:$DATA	skibidetoilet.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 320353.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uv0CB.scr\:SmartScreen:$DATA	skibidetoilet.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2456	PING.EXE
3820	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4588	msedge.exe
4588	msedge.exe
3036	msedge.exe
3036	msedge.exe
4684	identity_helper.exe
4684	identity_helper.exe
1488	msedge.exe
1488	msedge.exe
4488	skibidetoilet.exe
4488	skibidetoilet.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
1044	msedge.exe
1044	msedge.exe
3564	skibidetoilet.exe
3564	skibidetoilet.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
112	powershell.exe
112	powershell.exe
112	powershell.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	skibidetoilet.exe
Token: SeIncreaseQuotaPrivilege	4480	wmic.exe
Token: SeSecurityPrivilege	4480	wmic.exe
Token: SeTakeOwnershipPrivilege	4480	wmic.exe
Token: SeLoadDriverPrivilege	4480	wmic.exe
Token: SeSystemProfilePrivilege	4480	wmic.exe
Token: SeSystemtimePrivilege	4480	wmic.exe
Token: SeProfSingleProcessPrivilege	4480	wmic.exe
Token: SeIncBasePriorityPrivilege	4480	wmic.exe
Token: SeCreatePagefilePrivilege	4480	wmic.exe
Token: SeBackupPrivilege	4480	wmic.exe
Token: SeRestorePrivilege	4480	wmic.exe
Token: SeShutdownPrivilege	4480	wmic.exe
Token: SeDebugPrivilege	4480	wmic.exe
Token: SeSystemEnvironmentPrivilege	4480	wmic.exe
Token: SeRemoteShutdownPrivilege	4480	wmic.exe
Token: SeUndockPrivilege	4480	wmic.exe
Token: SeManageVolumePrivilege	4480	wmic.exe
Token: 33	4480	wmic.exe
Token: 34	4480	wmic.exe
Token: 35	4480	wmic.exe
Token: 36	4480	wmic.exe
Token: SeIncreaseQuotaPrivilege	4480	wmic.exe
Token: SeSecurityPrivilege	4480	wmic.exe
Token: SeTakeOwnershipPrivilege	4480	wmic.exe
Token: SeLoadDriverPrivilege	4480	wmic.exe
Token: SeSystemProfilePrivilege	4480	wmic.exe
Token: SeSystemtimePrivilege	4480	wmic.exe
Token: SeProfSingleProcessPrivilege	4480	wmic.exe
Token: SeIncBasePriorityPrivilege	4480	wmic.exe
Token: SeCreatePagefilePrivilege	4480	wmic.exe
Token: SeBackupPrivilege	4480	wmic.exe
Token: SeRestorePrivilege	4480	wmic.exe
Token: SeShutdownPrivilege	4480	wmic.exe
Token: SeDebugPrivilege	4480	wmic.exe
Token: SeSystemEnvironmentPrivilege	4480	wmic.exe
Token: SeRemoteShutdownPrivilege	4480	wmic.exe
Token: SeUndockPrivilege	4480	wmic.exe
Token: SeManageVolumePrivilege	4480	wmic.exe
Token: 33	4480	wmic.exe
Token: 34	4480	wmic.exe
Token: 35	4480	wmic.exe
Token: 36	4480	wmic.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeIncreaseQuotaPrivilege	4252	wmic.exe
Token: SeSecurityPrivilege	4252	wmic.exe
Token: SeTakeOwnershipPrivilege	4252	wmic.exe
Token: SeLoadDriverPrivilege	4252	wmic.exe
Token: SeSystemProfilePrivilege	4252	wmic.exe
Token: SeSystemtimePrivilege	4252	wmic.exe
Token: SeProfSingleProcessPrivilege	4252	wmic.exe
Token: SeIncBasePriorityPrivilege	4252	wmic.exe
Token: SeCreatePagefilePrivilege	4252	wmic.exe
Token: SeBackupPrivilege	4252	wmic.exe
Token: SeRestorePrivilege	4252	wmic.exe
Token: SeShutdownPrivilege	4252	wmic.exe
Token: SeDebugPrivilege	4252	wmic.exe
Token: SeSystemEnvironmentPrivilege	4252	wmic.exe
Token: SeRemoteShutdownPrivilege	4252	wmic.exe
Token: SeUndockPrivilege	4252	wmic.exe
Token: SeManageVolumePrivilege	4252	wmic.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4416	3036	msedge.exe	82
PID 3036 wrote to memory of 4416	3036	msedge.exe	82
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 3492	3036	msedge.exe	83
PID 3036 wrote to memory of 4588	3036	msedge.exe	84
PID 3036 wrote to memory of 4588	3036	msedge.exe	84
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85
PID 3036 wrote to memory of 2196	3036	msedge.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3652	attrib.exe
4408	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/3zoNFR
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff449b46f8,0x7fff449b4708,0x7fff449b4718
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Users\Admin\Downloads\skibidetoilet.exe
  "C:\Users\Admin\Downloads\skibidetoilet.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\skibidetoilet.exe"
    3⤵
    - Views/modifies file attributes
    PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\skibidetoilet.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4680
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5052
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\skibidetoilet.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5084
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2456
- C:\Users\Admin\Downloads\skibidetoilet.exe
  "C:\Users\Admin\Downloads\skibidetoilet.exe"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2601061302177948115,1856086968011396550,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:432

C:\Users\Admin\Downloads\skibidetoilet.exe
"C:\Users\Admin\Downloads\skibidetoilet.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3564
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4884
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\skibidetoilet.exe"
  2⤵
  - Views/modifies file attributes
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\skibidetoilet.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4160
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:692
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2856
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1532
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\skibidetoilet.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4952
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\skibidetoilet.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7c9e11c495ec951bbbd226a99da98188

SHA1
7d4be6369c84e96e0de386ebd9e758bcbeb21028

SHA256
a101ef1a176efbbbffb68d30b63945459912f933ac69c4d0e657481b8cd206e5

SHA512
389dcd75d6b76ad986c844e075462bfba2d5faf02fee4f488fb37dd8fe3706ae5920aa2542a388fbbbe92afb7a1434373c135e914d3f099e6502501dd9daa950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
73748a1d50f1a2e3cf19e9d6121d87fc

SHA1
714acf786e4a80997d12e96bf952c6c0edf16f0e

SHA256
6bf502f5beafdf535bc4c86876afc823868fe02c3230e6e484082f9cee4c05fe

SHA512
68acd6c9d846a6d419f947b830e604eb2f4616c94f8ea79199b48412a9cb37f3f6120ce9168d9ec9c2f230da35f1b0bb69916af4e431b6ac39404c9d677a711c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
462B

MD5
456b47550a95918a7b9db68751defee5

SHA1
fd7ff6df2a1f412d97ff711548e7d4aa7d949695

SHA256
e26fab931b0848ca2bd025cfe6a67f6ba65be384b970e65ebd3efb001fe4843f

SHA512
b04165f30935f289e203a1beaa9fa7007ef21926d87de06c66da0c2c5bb67e427876d554d5cda8c9fd5c2f8e6c6dcbdedac4b396e496d9e824b02a8cd0cd0e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
d3dec18bb94719971f2fca51c7457284

SHA1
fbe56fd514e178ecccb27b047e9c4a28f85969c4

SHA256
49bf2e0fd563e5a70eef9e3826e4e676d36763b75a56a667b99d061d8e40c433

SHA512
a5dbb443eb2e99435f0b302177eaee58b207806279d7c3e299371d401277bb0ae008902eb70075664976212571430c26febc7e47d71a47bd3a75829be5f9baa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fae48ec0a69979285f57509c83a05ad7

SHA1
2d0edc0b5354a808339d1f1986663789cfeed588

SHA256
f36bbf615f039f1e17324ab13cbfaf9f21756c33b3fddec7aceac42e0bd5cf63

SHA512
74a7e4b31806e44879637535cf27689c8c7995cd8a44f9820e95e4342772d5dec1b33e361e14735f03b6b47734600d4cc9ea0cf07c4eb9c31d25a275a96a2493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8100613c03a299b52f64d5553eb4f5a

SHA1
6ad604ed4cc8de59e15cea861c04ca76132f93f4

SHA256
7eba9ca2567988e15d237948e0f2b91e4cc2c6f82c32da0d4e716c31b556a4cc

SHA512
0e2433d7d22950b1f8cad6111a321fdfc09573ee1548783e725ad1fef86b3bf80c3440e8d77d32b152cad85d582c373650f13e8af00825ef1829931d08fd0007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bd8b76b393f047fc079d92e72b7278c

SHA1
924574311622856c3584de4c1223b036683a1bf2

SHA256
28f9398069caccba54471619123a2e0bcc687c1f0aa87b6d1d398d0aff5a479d

SHA512
39a01e2ab1efd1713642ee3751b948217fdd059ff10eb7b694c280687c772db24954974468fb48f021e63d15dbd7c1b6534afa77f79db09a12c8a106406ea94c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93de0315a2bfe1767eaa7815b16b5a9c

SHA1
74480ff57300bed02eb5152304d2ca140e4416c2

SHA256
cdab79762f7fa41393630b1b2f6112ebf57a46beaad64698de2c6367befec9ed

SHA512
d2a91734c99811ba27c05e0d2cb09ea1ebdfbb83da0ee1d8fb78f665a1059b284c77d00c4d67515987a8be3e862f9e6666d740eee5648245b96f16c9bb541ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0150abe604268f661b689421b2127a31

SHA1
d68249ec151ca88906e56ad794b6cc67673a7d23

SHA256
60517a9729fda68cec98d6afa20d27b56e0fd3dc9fe6d8bc253d9975012c53c6

SHA512
64c05c65dd8e186df12876543f2faf02da3edfd884f3517441530e3dc2a9cd61cc082e4c39ff1726c0d5464b8f7dd9189af808fe94fe0edad0d7440bdfb9704c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f303fe8e5b9e47a08afa76ac726269f4

SHA1
a473a2899b713b9f88fdea9703119092bde399d4

SHA256
d117fe8d7a4237444310f466e24dccdef4446be407008ad2f960f51f6cfb95c0

SHA512
1df4b95ceed78b48ab8e51a896a6caaf6624a41b630a1057ff1e5b79611c47811a93b29bbd61aca605fba54e06575838998c6e3553de99d4eb567e1435b3a6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
152fe0ee76f1b88f24ef4ec48824286b

SHA1
166ebbecc53839ef4f09d4f92be8bbe781623c38

SHA256
a23a04620055f202180b9c4d44ddc03d6b82c95633267cdb4b9c159e4ed92a25

SHA512
0597c0f5c1ab600618fba968cbb70e5bd800390f8399ae14c1418d604ab96c87051817f23cea1d54245e3088c97e01f747bcfe56aa01463e105ecf06b9776ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
04dba2e0763acb9b83dcb94ca0f4c2bd

SHA1
626394aea6be984d4817a88a591fea246bf4a362

SHA256
6590267fae391a722c4b8c759c88d9e694daac163148aad7e69faebe045b75e5

SHA512
1f0dff8f0a7d51ba949d994a6194eeb6d376da60769c0ea99d13c39242327a6bb5d4241b890ff0d29b17e39243b4ba1d9aa00ca952c54bbf13ea2abd95d1eb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d96e23bacb48e5284f7595e502fded57

SHA1
dcc6ba604ffe9bd5c6bd18c86a3f9e03b16b3ee0

SHA256
557eb0d60316744c343642db81fd42e7fd37060ef563c5e8e664bfded3d6c7f9

SHA512
d272f3d9a5fcc590579c2806e2c73763eca30aa6f2e95b0d9d3596777664ac2ed93bdc0150e150632fe2170638c469cb6fe02c4849b077c34ec3773e7b6e5d48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4362ea82625036717c2160e675663b22

SHA1
bdd23e13656a2b9701382aaf04e694821be3d903

SHA256
7fea91462d02669498f08fd11f7a151302b8c92974216520dfb7f611ccb0c46f

SHA512
81dd5386345afa41ac7c04d5fa172c0594c6bde4f1078d00b33dbe4723dfa0c8ba3b2703fd6b5d7e349f672be528d7998c3989ee145b9b3fa55ada22341731d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtg5ug3g.zuu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 875403.crdownload

Filesize
229KB

MD5
fdad6665bbeed2f5fafd2bb3b7091b31

SHA1
416ef6c4dff7d64ac65231151cfa522a2359ca8c

SHA256
f804cbb4b5351b9fb132289412e289044a5b2b518c1c5084da228134f0fb8217

SHA512
bf2ebdff30ecec211a6a4dd7125ea345a2be480630dfbd84ca8d4b483f9fe9cee0d50b5daa0ad640d98209db31064f410298735e558f0db828b52d056b069b7a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1372-122-0x000002AB7F100000-0x000002AB7F24E000-memory.dmp

Filesize
1.3MB

Download
memory/1372-119-0x000002AB7F0D0000-0x000002AB7F0F2000-memory.dmp

Filesize
136KB

Download
memory/2672-199-0x000002E5A5F30000-0x000002E5A607E000-memory.dmp

Filesize
1.3MB

Download
memory/2988-135-0x0000021576D00000-0x0000021576E4E000-memory.dmp

Filesize
1.3MB

Download
memory/4280-180-0x0000022E79B50000-0x0000022E79C9E000-memory.dmp

Filesize
1.3MB

Download
memory/4428-168-0x0000024CDA780000-0x0000024CDA8CE000-memory.dmp

Filesize
1.3MB

Download
memory/4488-109-0x0000012AB0050000-0x0000012AB0090000-memory.dmp

Filesize
256KB

Download
memory/4488-182-0x0000012AB0560000-0x0000012AB056A000-memory.dmp

Filesize
40KB

Download
memory/4488-141-0x0000012ACA810000-0x0000012ACA860000-memory.dmp

Filesize
320KB

Download
memory/4488-140-0x0000012AB1E60000-0x0000012AB1ED6000-memory.dmp

Filesize
472KB

Download
memory/4488-144-0x0000012AB0530000-0x0000012AB054E000-memory.dmp

Filesize
120KB

Download
memory/4488-183-0x0000012ACA860000-0x0000012ACA872000-memory.dmp

Filesize
72KB

Download