umbral | hxxps://www[.]mediafire[.]com/file/kulntv7zouhbjni/visatool[.]rar/file

Analysis

max time kernel
110s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/kulntv7zouhbjni/visatool.rar/file

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1277999854974406696/E5jlpnaIaqj10n4mF186OXvssQJ6CXTDRHNJhNMj8V-2ZrtkJ672_8Ob61NpRqQHxlG9

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c8e-208.dat	family_umbral
behavioral1/memory/808-210-0x000001A8A8DF0000-0x000001A8A8E30000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe
4832	powershell.exe
3680	powershell.exe
4416	powershell.exe
464	powershell.exe
4588	powershell.exe
3676	powershell.exe
1528	powershell.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	visatool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	visatool.exe

Executes dropped EXE 2 IoCs

pid	Process
808	visatool.exe
3376	visatool.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
161	discord.com
162	discord.com
169	discord.com
170	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
110	ip-api.com
150	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1368	wmic.exe
4720	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	msedge.exe
1088	msedge.exe
3528	msedge.exe
3528	msedge.exe
4672	identity_helper.exe
4672	identity_helper.exe
1940	msedge.exe
1940	msedge.exe
808	visatool.exe
808	visatool.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
4588	powershell.exe
4588	powershell.exe
4588	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
3012	powershell.exe
3012	powershell.exe
3012	powershell.exe
1528	powershell.exe
1528	powershell.exe
1528	powershell.exe
3376	visatool.exe
3376	visatool.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
552	powershell.exe
552	powershell.exe
552	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
724	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3412	7zG.exe
Token: 35	3412	7zG.exe
Token: SeSecurityPrivilege	3412	7zG.exe
Token: SeSecurityPrivilege	3412	7zG.exe
Token: SeDebugPrivilege	808	visatool.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeIncreaseQuotaPrivilege	1940	wmic.exe
Token: SeSecurityPrivilege	1940	wmic.exe
Token: SeTakeOwnershipPrivilege	1940	wmic.exe
Token: SeLoadDriverPrivilege	1940	wmic.exe
Token: SeSystemProfilePrivilege	1940	wmic.exe
Token: SeSystemtimePrivilege	1940	wmic.exe
Token: SeProfSingleProcessPrivilege	1940	wmic.exe
Token: SeIncBasePriorityPrivilege	1940	wmic.exe
Token: SeCreatePagefilePrivilege	1940	wmic.exe
Token: SeBackupPrivilege	1940	wmic.exe
Token: SeRestorePrivilege	1940	wmic.exe
Token: SeShutdownPrivilege	1940	wmic.exe
Token: SeDebugPrivilege	1940	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3412	7zG.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe
3728	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3184	3528	msedge.exe	83
PID 3528 wrote to memory of 3184	3528	msedge.exe	83
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 3852	3528	msedge.exe	84
PID 3528 wrote to memory of 1088	3528	msedge.exe	85
PID 3528 wrote to memory of 1088	3528	msedge.exe	85
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86
PID 3528 wrote to memory of 1796	3528	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/kulntv7zouhbjni/visatool.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b7e846f8,0x7ff8b7e84708,0x7ff8b7e84718
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15789786227156049819,16995847116909304232,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1377:78:7zEvent20204
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3412

C:\Users\Admin\Downloads\visatool.exe
"C:\Users\Admin\Downloads\visatool.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\visatool.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2292
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1368

C:\Users\Admin\Downloads\visatool.exe
"C:\Users\Admin\Downloads\visatool.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3376
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\visatool.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2404
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4460
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4720

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\visatool.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
f3856393ccd6257c5ac57738f3b2796a

SHA1
54fab15b46aa434c902af64201bd4b562f467df9

SHA256
beefa7444c5c19fe5fba2f20cf618924edbc38ee1bce103e5c6b07daad6fb590

SHA512
b5c28e35b9b78ca248a2cc515adb908ca23da4c6aeb4fb6618e35b5bc5b06b2414ea8f48c28fce9e7bdf07c8bccb2dca5c28a1d082b1e0a775c79c0c0c3e72ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
bbd200aea8c58ca032b680a2ea3e2715

SHA1
28603c322fc1c972a943f354ca7f4d5809b91a5c

SHA256
dec0b41e3da9c1acef393ba46647e97d4d0d2075f4fb096eef5a7e0cc797c515

SHA512
6b9fe7c826f474df80684802cff056226697f243c8700552aeab075595d839ad99b0b2f0848e44ca726c5d0b9ae546bf9b2c31bc103a48bc7d11ff6eda754f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
589B

MD5
edeac496eda3aa74098d9f44dd6dca27

SHA1
228ed5c57a436540dcf8ad5a3dfe4d2988039d5b

SHA256
3dc5dfb3106ef50cec7f054e70636efca24111164ba2461ab1c24756867bceac

SHA512
3917036bb3bf2d20bbb152f8f9a13a2d35ff3e12947ee6cc8afdb08f61b9a365ab0cd51ab4adcbd22f2e774b54a3e150f2174679e2829172f0d3d95e3a9ff660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
880B

MD5
52df3ebe0f8e487a32d8493790d0a9dd

SHA1
857fdbc6c5ab44ad6f86f4a066c345e600a89a2e

SHA256
43b77aac5670becb123f6569ac65ac56c7d79fdafa46a7c040171456ed0a0933

SHA512
37b180be527a185e590546de0646565468641667a1f379f0007baf87eb15100280b428052eee8cd1eb5354205ecfd2fcc95c626ba5d0f326eeb1560e53fcf62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b60aff5cc9114bc91454958e839ba675

SHA1
9dfe77f192fef76ca980aa298c386c3a840419e6

SHA256
eb28b146d295a0d8822751c4d9814016a35092e00c0961f198bc4f4aeffcc5d1

SHA512
3404bcd25819fcbd53e035bbad06853bbf16fab86dd682112d9d097909708365345393cbb8b907ce9fb33a7a74d541ea2fd6f2cdb0faf08df87eb1fca03f3ec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
54f75aa88efbec1421ea739b40023027

SHA1
b4a5180a922d5150a5aca86f253f8192512ce1f9

SHA256
8c7c3e39f5e71664530985edbd0aad85395263f9f375127ac5c25b9656362ca5

SHA512
bf21102b2991fccdcc49f7a829438e7fd5dc8d33014323ff32f289ce7994c57451b0d5218969ed6fc4ac49a5b27b7fcde8fce7706cdde6b2c2da5e743c88bcb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11e3f2f2167006b221171c9676cc4cc6

SHA1
04e54f87ec65733268bf4f9cf582cd4e91845d1b

SHA256
567eddef65a89caef6281ce9e3e65aa3f680596c3748435e7ab3a5560657b230

SHA512
fe18a74b3c7f73574e53647c35e7e7753449a72a0d4ff7ae72570a37051bbead7b3e8af093073841a45c0662971b8e94a68e1f7300af5ae3e6ac45894027d07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b8bcb91a6006db5985bf776ac2c9394a

SHA1
f5f0a2d7e50a8bed2f0f9c27817285fba01a5f8f

SHA256
21f9b7e36a82d6d3f99f02ce6b1fb7dad6f7c1a51ab542d6236a23c28dd02866

SHA512
8dc22e82c2b4b3277c2f38837f9c9d105d10259e2f7223e2b37eb0909a598fe945833c312fdad57c4f9a1bb5bcc05288b277290dd0342114b48bcddef37c03be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2513753a81b7f179bb2262c4abfdfdb3

SHA1
4fc4146282749ec0f77116bdc43c3d9883ecb5f4

SHA256
aecd97f794abe7bf56daa5a6831247b4cd325a7cccacb7d32f97a65274fe2b67

SHA512
9b5da87aa2da3d8d9ee4a253c94287d9870bbcfb6a156a10944acd4e7a1cd240857f16a5813f46b45c15a5ee2b5eee1761a4ce3dae7f13bbe52e6a4c8ea0a026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
14054c963e13c84bd9a8eb513dc8318a

SHA1
5f16262957bb53b6c0ce46588bd8bed235646c6f

SHA256
7f3d5ae3e968398709fd9d3694976a2833e0186daab4c167b9c976dea085e4c6

SHA512
b1b457617a17a92df09aaf7b1abc0055ad928f7c1a8f81bfb6d483d454bcc302c4a23ba9ad2b35fa134bf3a9d34f7dea563b320a204b2bec6fb7d65a65820337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ff394ab6a4bacd468f44d4cf6a663a06

SHA1
576de9c79b43a992b698aec8d5776dc2e3b150f1

SHA256
801a6bc55a7b804212c0a99f7128f6d0b2c50d6384e4045b5a88cc3a9b354f0f

SHA512
d3e465a6162d3bc2c2ce04ba1deecda3c510542b7d6d122ab7ab7a8ec32d34479c5d3b34c15c77366642a9e24424e496943e46f70c5ae77287f1f8c4f485b28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a67eee085e8f68aaffbfdb51503d6561

SHA1
29db9b41945c6a5d27d5836a1c780668eded65a0

SHA256
6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4

SHA512
7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ab1214368d16125b5f97e5014a91cfd8

SHA1
73ecf983976ebaa0c27c6bddc8d956b27c934197

SHA256
62030acdc8413f7658ed0e27c658ef635766c971862f777bea9dcb4a42c83955

SHA512
7e9d0aa20c3ee9674e09b4b6ac0f95955ba047f8714d8d26915feb2e242f011af1fa5168aa18292f183dab46647fccd182d2ca02029fe6ffd3213d167c6cb440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be9f02a93f2626e7c748c50b58400ba3

SHA1
e42dead1edeff817bcf95ca22e350617041df7fb

SHA256
c6695562dfabb6fbc87d9e2772a0aa89564256c33a72cecacf6438689767bac0

SHA512
58bc6a0e22a9977f232175e59181113e6617affafb7720a30d2106a3d01bea867d1f0cc94635e76d12fc55d033337a435b8f0bc0e31b378b20c551f71ea1e7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_il1kncmn.zp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\visatool.exe

Filesize
229KB

MD5
8d12001c93eefec83bc3df9b79fd662e

SHA1
f2a218e2fe72e57f0c169e58af5a5bad232b155a

SHA256
17122c0a46007455035997b94a339b664d1b69cae5cf6a7b0544be7c2bed0326

SHA512
8878a410caa7a29a9bdd619f7566a10cd41fd97919bcefaa9641d6b3a91fad685cb375a8a0127d7296478f918372d680fe289f2bb84ef72ca3a3ec3eb7edd2ce

Download Submit
C:\Users\Admin\Downloads\visatool.rar

Filesize
79KB

MD5
63147c63cd815ffa062993c3301ad504

SHA1
99f039803323ffceb7c65ab1536febd2ed4ff79b

SHA256
6edc2ad2a5316bfc6271af61e8271e55d9b12d3a76027ace662c093a59c4ef22

SHA512
be5806b6506f0f720417cb312281716b3da3010c2f3a2cd2de0e3f3d9dbabdb31fbd7bc62d9cc93d72db6f97522ed0b8781b64854275d4da5e50f52f90a0a326

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/724-417-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-425-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-421-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-422-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-423-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-424-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-426-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-415-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-416-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/724-427-0x000001F210600000-0x000001F210601000-memory.dmp

Filesize
4KB

Download
memory/808-241-0x000001A8AAB90000-0x000001A8AABAE000-memory.dmp

Filesize
120KB

Download
memory/808-237-0x000001A8C35E0000-0x000001A8C3656000-memory.dmp

Filesize
472KB

Download
memory/808-239-0x000001A8AAC00000-0x000001A8AAC50000-memory.dmp

Filesize
320KB

Download
memory/808-210-0x000001A8A8DF0000-0x000001A8A8E30000-memory.dmp

Filesize
256KB

Download
memory/808-284-0x000001A8AABC0000-0x000001A8AABCA000-memory.dmp

Filesize
40KB

Download
memory/808-285-0x000001A8C3560000-0x000001A8C3572000-memory.dmp

Filesize
72KB

Download
memory/3028-220-0x0000024A41850000-0x0000024A41872000-memory.dmp

Filesize
136KB

Download