umbral | hxxps://file[.]io/LNdcSeZ6fDkO

Analysis

max time kernel
1792s
max time network
1777s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/LNdcSeZ6fDkO

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab7b-195.dat	family_umbral
behavioral1/memory/4196-370-0x000001E2901A0000-0x000001E2901E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3920	powershell.exe
3356	powershell.exe
1496	powershell.exe
1368	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	mercurystealer.exe

Executes dropped EXE 1 IoCs

pid	Process
4196	mercurystealer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	discord.com
105	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\mercurystealer.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4544	cmd.exe
3688	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4968	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{DCA74C6B-0524-4CE0-98CF-9DC2DEB23861}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\oRnir.scr\:Zone.Identifier:$DATA	mercurystealer.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 483832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\mercurystealer.exe:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\oRnir.scr\:SmartScreen:$DATA	mercurystealer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3688	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2172	msedge.exe
2172	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
3128	identity_helper.exe
3128	identity_helper.exe
2092	msedge.exe
2092	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
5024	msedge.exe
5024	msedge.exe
4196	mercurystealer.exe
1368	powershell.exe
1368	powershell.exe
3920	powershell.exe
3920	powershell.exe
3356	powershell.exe
3356	powershell.exe
1416	powershell.exe
1416	powershell.exe
1496	powershell.exe
1496	powershell.exe
2528	msedge.exe
5040	msedge.exe
5040	msedge.exe
732	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	mercurystealer.exe
Token: SeIncreaseQuotaPrivilege	1420	wmic.exe
Token: SeSecurityPrivilege	1420	wmic.exe
Token: SeTakeOwnershipPrivilege	1420	wmic.exe
Token: SeLoadDriverPrivilege	1420	wmic.exe
Token: SeSystemProfilePrivilege	1420	wmic.exe
Token: SeSystemtimePrivilege	1420	wmic.exe
Token: SeProfSingleProcessPrivilege	1420	wmic.exe
Token: SeIncBasePriorityPrivilege	1420	wmic.exe
Token: SeCreatePagefilePrivilege	1420	wmic.exe
Token: SeBackupPrivilege	1420	wmic.exe
Token: SeRestorePrivilege	1420	wmic.exe
Token: SeShutdownPrivilege	1420	wmic.exe
Token: SeDebugPrivilege	1420	wmic.exe
Token: SeSystemEnvironmentPrivilege	1420	wmic.exe
Token: SeRemoteShutdownPrivilege	1420	wmic.exe
Token: SeUndockPrivilege	1420	wmic.exe
Token: SeManageVolumePrivilege	1420	wmic.exe
Token: 33	1420	wmic.exe
Token: 34	1420	wmic.exe
Token: 35	1420	wmic.exe
Token: 36	1420	wmic.exe
Token: SeIncreaseQuotaPrivilege	1420	wmic.exe
Token: SeSecurityPrivilege	1420	wmic.exe
Token: SeTakeOwnershipPrivilege	1420	wmic.exe
Token: SeLoadDriverPrivilege	1420	wmic.exe
Token: SeSystemProfilePrivilege	1420	wmic.exe
Token: SeSystemtimePrivilege	1420	wmic.exe
Token: SeProfSingleProcessPrivilege	1420	wmic.exe
Token: SeIncBasePriorityPrivilege	1420	wmic.exe
Token: SeCreatePagefilePrivilege	1420	wmic.exe
Token: SeBackupPrivilege	1420	wmic.exe
Token: SeRestorePrivilege	1420	wmic.exe
Token: SeShutdownPrivilege	1420	wmic.exe
Token: SeDebugPrivilege	1420	wmic.exe
Token: SeSystemEnvironmentPrivilege	1420	wmic.exe
Token: SeRemoteShutdownPrivilege	1420	wmic.exe
Token: SeUndockPrivilege	1420	wmic.exe
Token: SeManageVolumePrivilege	1420	wmic.exe
Token: 33	1420	wmic.exe
Token: 34	1420	wmic.exe
Token: 35	1420	wmic.exe
Token: 36	1420	wmic.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	2740	wmic.exe
Token: SeSecurityPrivilege	2740	wmic.exe
Token: SeTakeOwnershipPrivilege	2740	wmic.exe
Token: SeLoadDriverPrivilege	2740	wmic.exe
Token: SeSystemProfilePrivilege	2740	wmic.exe
Token: SeSystemtimePrivilege	2740	wmic.exe
Token: SeProfSingleProcessPrivilege	2740	wmic.exe
Token: SeIncBasePriorityPrivilege	2740	wmic.exe
Token: SeCreatePagefilePrivilege	2740	wmic.exe
Token: SeBackupPrivilege	2740	wmic.exe
Token: SeRestorePrivilege	2740	wmic.exe
Token: SeShutdownPrivilege	2740	wmic.exe
Token: SeDebugPrivilege	2740	wmic.exe
Token: SeSystemEnvironmentPrivilege	2740	wmic.exe
Token: SeRemoteShutdownPrivilege	2740	wmic.exe
Token: SeUndockPrivilege	2740	wmic.exe
Token: SeManageVolumePrivilege	2740	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4916	MiniSearchHost.exe
2236	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1404	1860	msedge.exe	77
PID 1860 wrote to memory of 1404	1860	msedge.exe	77
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 3368	1860	msedge.exe	78
PID 1860 wrote to memory of 2172	1860	msedge.exe	79
PID 1860 wrote to memory of 2172	1860	msedge.exe	79
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80
PID 1860 wrote to memory of 4220	1860	msedge.exe	80

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2760	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/LNdcSeZ6fDkO
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb03c3cb8,0x7ffdb03c3cc8,0x7ffdb03c3cd8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Users\Admin\Downloads\mercurystealer.exe
  "C:\Users\Admin\Downloads\mercurystealer.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\mercurystealer.exe"
    3⤵
    - Views/modifies file attributes
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\mercurystealer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2900
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1496
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4968
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\mercurystealer.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4544
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1208 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6868 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2502069364368475055,8858281691967963297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5d998c258c234c177983af57906d07b7

SHA1
809b4cf1b2acc2a8329df8e9122c1764394b1385

SHA256
e1f134d8e817738eac7555b24b65092133c1e23115d565169f9813dda5765e07

SHA512
a34aaa95e4c3fdba0ab46c166cc7af8f96e2ad31f2a37336dabe8146465a31783f9f731fab2df6824573d540784390b06ad37947249ebd0717fbd6bc3c0b987a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
984696d1bf8a3b41b9293a9bc35e17d4

SHA1
a5003d557cbd7b699f654670c4163fc99fa4a18e

SHA256
22acdeb0111fb7d6fb79c5c1b5b411ccf37133ecffabb50db185dcba2c176f2a

SHA512
c602b26e6f4388617cdb88f784f18c3810a0e56118b7fceb36401de3610ffeaecbc5c4a882c1925b02e6dd900c74f3a7b55d18f6a459c738afe16e3e840a15c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d98edb08baaf1f7a713709d37c4b8579

SHA1
dbd20f30218a6e61096f85b0634350db0319ed20

SHA256
1fef9e4a8cd4dd5524ffa53787d3a5653fe80b8c97f292dd0e6b2bf04b316143

SHA512
6ac25256e9663f659f9a881250e1caf0572a52e964bc02e1ec40e2681d9e1b633e66bc5d1d150794061e5290757ebf6048147d1c7b7f0d837c1f39591a553317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3e586a8b3a65b3f9842101f1097247ad

SHA1
c00e2747485c2f6665dc20fd1bbb329b9a807f77

SHA256
de16eefb4bfbd9e28998d3c74b0a34b244f137a407cf4ce0685db8bfd611c030

SHA512
d0fe62c887fb17842252ede5b94ae0240b5f39bce82e7226f35d1d960bb05426acc17afc85eb3aa8a49468066e912ce5c930a531d7449e300420395e8dc8f2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
02e01a016bdc644913959dcb068b3df4

SHA1
911e8743a1253e7e319879d55cd61591e0583402

SHA256
73f28ba48f9be676afafecde04a15b2bd957abcd73cb3383e30bb87c21470137

SHA512
95da63b8f8a3e92a2abb91fa3a7962cbaab4a4213b5f602892caff8ee42f8495c38784e808fded84ab9f318750fa55bef5636d36f7bb4da3222fb4654f28c809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
36294eb3ed4cf5fd1a08ffc2ed305c68

SHA1
da135c531492bb2d531944d2e6f54f0c47860bbe

SHA256
f31b8419ec7edc85fc24de2e2dd70548ea7c9572c67ffa619c84f1b59e4e7be1

SHA512
0ad4ca5d119cc068181249e3ece05ba32f762050852ce788657f25cb771769967e16390b9e76f202daba2ffa1f18a55b925ecfbaf0603f430d04723ed985ea11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
d0083c77a57e2b3dfbb48f8045473506

SHA1
83e07da970769b5c5aa7c8483d8b0487ebc2c8d1

SHA256
d5e51d8bf4305954a31deee14a797bc680d674b92d0dc13d226806cdf0a41111

SHA512
8c52c6e0c192aae10235620644fdefb4d6e42b3286b48cb38dfa11a358fe8b2cd8e71102a6f34002edb76e885dedc57f6438e595c0f9f5745834f1a9298f37b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
3KB

MD5
0d39d76182e309ce1da0474d4962d1f5

SHA1
74587aa93dd7de604f3c793ca3c23f81fa564b12

SHA256
f7b01eb8fe86d44875e0971ef7531c7b01ab095199ae02a517c5632f6e8f1bee

SHA512
6e61360a94013f493125445e0aef9715d1bf8c4c2edc310906eaf72b515fa3d9ae762e02642a16e98ca0b4a0efdeef3c46ad5fe0b57d8f078b8f66c3a16ec749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
56bf04589d39496f45385bace0c89eca

SHA1
e2fc4448ed24ffcab2f31c694ac550b0bbf08975

SHA256
c26baed1496b43d4eb96a7245d0408014c24adf11c1adf96876e04287d5a514d

SHA512
df3d52ed694c9cf18792480724a9d8ce126ac896035c2b671d4fc85a33ca27247d1ff7aab5c668f741c4cd53b189da910cb96376faa524c3fc5bb1cdb9edf987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a8d2956a6992d976c05435b04adcb1ba

SHA1
c54cd3802e6681503b5295665eacfe98d6419a2c

SHA256
3aa4c979a8c89b47f82f2cbf82a0c5620b3175240a4d2b4814159de05944c9be

SHA512
c511198ede78569db8b861bfc2e73422614b8dbab5b5654dda090a390ce38a5b49c9d3babeb8cecadf7609447b9fce5eef379850f1b0fec3b3db3e72b0cfa832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a8110b5b44b3888b38e644c4ee42400a

SHA1
2f6a435ff73fac92e0a54b843f72dfb25742ebd5

SHA256
4d0f4ce4ba5d64d37953060c6d376a8fe839123bcc04d1258a3cf6ef33355549

SHA512
b2b798c2ffe915563243dcd9e361ff772c8a997ec8d6736a67b667975203458a81668a816d5b4e6148fe5a8259cb863486d14a670946732f7b05700835ea5ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7b5a9988814d1b347271a45e3c191549

SHA1
d47c540f052756f4af8557e7a93d32e3167f08bc

SHA256
9627855d7f7a34f57cb18190c1b455459362934e09c533915adc705f6aab247c

SHA512
6bd9f63f3e9439e9a42f3ecae122202b1f0fd56056eecc4e5f4877433e6250a6deef4c437be08d018f4a906d92c9ce5adae217b7a0520da85c333e76cd6376f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d1d1b53e79c9d863c9652f95b23025f1

SHA1
c5a8a28253b8d8a3680ecfa49b57c10a03b13a1a

SHA256
965e2263dcdcfa85226d6d44758075a5aa21841b1bd883a987e0ae189c54fdd6

SHA512
bac9e13a291fef44fb317adc9114a7343e187cd8c9779d821c9a3db86244ba931cdf06effd57d7c1f9a4cc4d645772bf5fc2e08efa3341293ba5b800514d4367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b372272df9bec4fb65c2a30c2b075a10

SHA1
bb20ad5a963c109855354a73dabebff277ab6ead

SHA256
b07d1c7abf120bd70e743cc7e062693dc23067cdab5696641ab6fd211b610581

SHA512
83810d863614c781688371320fd67e9ed58240ea39835b8690e0899bee7c3a885eb6bc10eb38a501abb3ab27c01c711312cc5bb0049196e1cccec0845cde360b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
44e7ed3e889540e756522294ec6a76f6

SHA1
c55bb8cb36672f315ecbcdca64023e188421c462

SHA256
d8f12bf754ca1f0018f75c00d20dd96be26e41a24b9d8620f8b15031f2508695

SHA512
afacada457c2fd0519fa49a6159be05a74e27370d3f1026e529af9ff1d470315fab1e7e0dc0180368c1c5283196a83c37fc211e1082fd03aa00183605b54603d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d2245179fec8de74975adbd5b909a71

SHA1
51a4038162f006ec8e29c913d2aa83053082b494

SHA256
f35851cd98d92252d757d70ba9721fe51c1a9ff11c3fb39bef425780d588b1e5

SHA512
908e9861e91e2617d71045d2b0f0ac1a9c1a935ca5984eaba20142fd59bc8adf893435bdda7dd38329330ee4f672e2ba34a342749addf6f5988b1b82afbf4152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9299024f138acf854c39818e065fa329

SHA1
40a1cb0bef8ab0f8949a58e28ea2ccfd6b6d34b9

SHA256
54004e857fd8d25ad7777b4c78881813ce05678993c7eecc1fd759e8aa5e3030

SHA512
d2dd62fff861a5b19e871627d4abaa2c0be1297e90ce3a31290e3882aa43aa86fc71d4798f347eeb1a2ef892e225221433caf45ade1c38a933949d9884abc752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f68e3089567e4928cb9e21f12da1d549

SHA1
aa7d96a4153a136a9e819c9911117eef1b4ed888

SHA256
8a3310464274ce50cffdd7f1faeea66380a4d7c6599452637db2ee929415230f

SHA512
c0f642fc4acdc02b0939333f34163f10a01dbb6ec5d5640fc0581b9f9d2f3e6a5762e7e16a14115b0d3fc06a4a680b44609e16a1a8065add166ea8fac5c3e7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
84e6e3f5b85cc5f299dd913fc8125350

SHA1
f73dd7742c7a75e99c2447b9d00a3e00a2ff183a

SHA256
241942fa4cae6543ff426fb74dd0443b62408bbec9fa7840784ecd1879a4a5af

SHA512
c1fdac39d2e6b9e10f741b3e6b59c360b844ba7b0b051adf01e2da7f5caddb0d6bcbbcbea9a19f08f732f8d3ff5a5a7dc91ee8788266b190304f1c32bd913b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9a1affdf1496bb86615dabaed47ba035

SHA1
fbee17c8e4794836e8a76c4294c58479c25ec968

SHA256
b8b58acd71a203a8e724fe907f384b4021547458416a24f0778bf13f6b839c21

SHA512
4f7e4453be7900e8389a423b87a182a954a06cac207368b353630e09b797a0a4b96d017f039082d8469a433a24ec8a8fabfabb787a61a9813916199ec760a535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
eb176853e089303de24092ca30c0561c

SHA1
66a64dbf618813190d533cc3001a2a04d1af0de7

SHA256
ed31fca2781ae3d83013dd5d6938eed78b3c7f507238ac6119c81d8fe8c82ee7

SHA512
ab5ebf62a622bc88f3915ec7d057c7fdb27664a0610f7306b0ae932013f7a5587f1d475ebb96c35b9e06ddf4a527d95606ac3fe832c5e2b32c02fc72bb3fff23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bf10a35f4684404dfd4f198add1f4fc2

SHA1
fc00acc0f6d9e731b19ec9a2428f852f2177b485

SHA256
887421403dfeca7376b2bfc6e99f5a42fb4c8cabb4f6fa4a6a994bc873843f94

SHA512
8e0d42a49af6ecb5521b52697ec22376311505870a6fbb86c5c020509dafc3435713cd56a291167fb9e5a3bb0870d328a2e226891f80458b428ef4505c2ad57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a518d9ea0dcfac87dedf1aabe1cfc938

SHA1
80e0eadfa2ecc2d3bd5c8479c068e60781643699

SHA256
7073fa1027d3425341e4d3abf3dc1820d1ef52953975f41d394ba8e47eba2608

SHA512
b8fbd2d08ddeed553d05f74dd43bb12ac6a348e343b05e9c2b84b8740b351c90955335ab8c2abc5117efbe7013e93b97ff118b4b11b8f6ca6e15dbc1a942ad41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
590cc673cebfd47b8cd4be00efd18246

SHA1
58a7e7d336e5e8243200a385c9e8d5090a0560fc

SHA256
f94b2db5e904e8853c19874aae71ecc520514133e8dcf6d8cef777cc4ed93e7d

SHA512
80bd6a7aa9b02593efdf22702c4710f218904da24b7dee9d83f33eddc2dc67ccd05261e96092e17e141d00abd5c45bd5dec95ae9f5f1198434e7fa987cda8c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7114303fc6191b71134708da96eae96f

SHA1
47da38f953dd237891559c889a5e36b057f27b4e

SHA256
84073f3d82bd66f4929ce6520972cbefec48a8258de447168d8160c9600f2b66

SHA512
fe7a42b3c8caaa8e06e76ae8437d42d7f8caeec105ce6657a271553e437a70f8bfb7f9a779a200c3a86675feadb148185a99b7e3d9db40969ca1eb44905ccdbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
104b5af4116c9d6bbf25fcb8c3c658e0

SHA1
2999159bb9122b93da3997bc90a81a1445958af2

SHA256
c1aca93d5765ec32192f09fa2383d7040e2a7edacc59361de07ad82324029d66

SHA512
02285c2d582173bfe673c14a3c37fb7e829990de5da79d1b8e3e51d95430e8b9fa724ece17678e02510b3bcf23b225ce99fe27eda664822c3bf5a6be0310c659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
21b554fa85224f78d5eba4a3b516b745

SHA1
3159d1513f81d7af353779e69300647ac12456be

SHA256
e8b5dfcd20060a9d6787b8421f0285201133edf3d5f9db4ac36d5f5774c235b8

SHA512
3cc013dba8daf3eec6f5b37f062284ba83860c1d80ec63c452af1d0503cad2f5ab16e12e3bf9217b8fcbf7453e1558d7fe8ebbc7051000b26d00c2836c60dc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
55f9aa8dd671a609bf35fd9a6195563b

SHA1
cf32f0374bb656616d38084f5f5741ae44f2c419

SHA256
47c6364e399380a5c534e8892138791cabced1940bc3da60f90337eb9c2a2256

SHA512
40291417c8f4d136aa2a65f16fbc76d49ace53fda80423bb3f7d8462a02c0b793abfedeb0d0573f3de097a13980a6ae0326d4b8e423db9a5d5b8c315cf8397f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f4fe4fd516259d69261fc946c573402b

SHA1
66cc99194c9dbef13fb8703137c64509708ee17f

SHA256
9d74541b89f830b7bdb6442a069e4aea50528205f3a8966085288362b5ea7599

SHA512
e2db6ffbe5c163d226ddc152b9bdad6dc87e6e55923d0fc5a4b874d7408195acbd40d7bb6d752253403bc25567cae798018adc5aeb68266237a684ec03d82bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db8b.TMP

Filesize
1KB

MD5
9ab3a3af8ffe8550fefcaca2949f6815

SHA1
f74de7ec6fe84104108ca015b1de9e6f0e2f2917

SHA256
cf34b1655e200fe5fd471f90abe31656620ef6db1dce7b5a6c67e7cf9efc6400

SHA512
b0fb38bd528249bc1e018e0ba9be038e5bea21502a9c1cdf3aa4e579de9fdf0ccd88fdfb19722967af69526f1aee405370cbca5de0834df167a985d91a9ffe97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f598ce94a5808e1ddf69875a09c19937

SHA1
f02c85f11a952e6607dd2da49592ff28b00fd4ca

SHA256
aca1f708bf9c39751d8d0d7e445945be1f7b8f3f52ec728c123e271db1963608

SHA512
5aac0314824a710e23b310c48f5728ffdb322ce543f2ea43eb258439c297efc5b902028dc5d94d8b446ee1a20137f89d2357e1e0590d0171071972fc61cd5d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e732bebb66335f0184ac9edacd10149b

SHA1
f7f2dc487f9bb7579c2b667182e9f51ad7aaddc1

SHA256
ef5e8240c150d507112b6258c38af8d1e783e99b12cc4cce90b79c313a427a7f

SHA512
8d2d31606d01b70dcc8b0b2685850cf7b5e2b6af001a81a0492ce887b4843b6cab68ef4fec4e2b59aca31c69469c94fae455dbd3a239202eea50a0ab25225cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca7926b05dd249638781cccbb8c249ac

SHA1
6ff88c44211a04f963cfbb4bb3ceda64b7fc4516

SHA256
170d1ea9373f1b0ab21ce07307721085cce8904d92edf7ccfa911e2dc2e636c8

SHA512
d87d80d12c4f0408a24c28fff91da2b53532e664d00a357ccb4c04bf93b43a6c2dbc03b11c166ace644b2a126921a5a34a6882cc06be6c192598f845de5a5d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b66bbfcb78c71e5e4e80775ef6c18ab2

SHA1
83f1caee494947c3cf5139ba82965eaef0ce02e6

SHA256
6e6257f438afac695ce1edd296b507268473a312b3b802a0ff4e4781f3490e8c

SHA512
964d2d771953ecfce453607f2c385d72462e818cfa74dfc7040cfc0b62b4c6cb48fb0560564e17e5a63338feb72232be159da32dbf320e6254e85898760ad409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d586f63dcdea8b34f962620655619ad

SHA1
9ec0624636211b57a3215306bf5d323f9389fd56

SHA256
df178d3a183c8c6b01861378f8b939c06f713db6eecd8582f1b5ff2bba7bc532

SHA512
1a2fe7376d5c90c41c2e5377e4fba9967f2271fff5ed94a667273303162d8992a63b3212ee2bbb17923c55fc695cad712ecd7d1ccfef6c102aa25577cfde78b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
84b1f8e42493a0dffa8ef40496820857

SHA1
65bcad4da4ca7f941322b94af194bea3cb604b33

SHA256
a72ed5b2ae2d7901ce0998cb23b71f7bfefb94a7ee1e1c1c2b6e31d9767b8b03

SHA512
d9a87ce9458775507b00ff5112569e3c976cf4dfcfb34bf55632b0a85937374bab9d45e8bb6303c57bc1cee6b8ac859a7570eec6081517d5bfea9588cba00dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3b349629c49624d60b9b4a371528b3fe

SHA1
a5a82ec10f32d61341d4e3e9b9e41b574a69b7e3

SHA256
6902d35c1ee531f639379594582941199cd44656a1899abe9216fb642517028d

SHA512
1f6a27335cb93c297df7f8da7cc4a9acdab82ed459d7e52f1e12af3786dd5db90dc67134ac0ebbe092a6124fb78ef30b5ad2ae9628e5da7f70cacd837cc49082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
181c027ba374478f4aed2bbb7ce34ec3

SHA1
f806c69c5fe9b081b6764d56eebe321d842c4285

SHA256
7048a91473e0060b714ae9b82573c4db09e5b72679770e7c5be4d3eeefaa6eff

SHA512
948fa25406edce328f451e3cb787a1795d583df6086f37287c80006b9166be6cea2490136bdf40d66483f8c792bdf1fae4fe1934a13692f8ce56a8fd5db62fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
43b2acc13ba1fe53d4f8859fe4f98cfd

SHA1
d917f316b17b600053802c3133dae8c2466a7f41

SHA256
b6630b73e4df2c36854f9480fe321ceb44fe45103d74a509c6d616c120509186

SHA512
8851c9fb935dfa61345903ec7ec859779a98c0fd40bd5ad8f2a103f68b59ee3e7527664cb44fb0b3b17fd21977ed554e9b0aca0b1c8fec8d51b565a29d48d5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6f33ae41ff18891871a3e906d915eb4

SHA1
cf6ac704047ea22e450c3fa972d98111e43885bc

SHA256
0225284153c04eb74129e1fbd81e498496e4ac83a70e9f40944c72a9012e2c45

SHA512
799bf60838820fd51d2247317ea2e7c2dfe08dadcd9659e7d4d0ac0b944c6ef17916aedf99be1e09bf4c608610cd4c58ddedb455af4a5117dfda95ea66540840

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d2671abf-4edc-4d72-9e89-c9d4bee302aa.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awkse0ls.y2o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 483832.crdownload

Filesize
229KB

MD5
7d4e022d4a7a3b286c0859e67f08704d

SHA1
41adf9cd874cd8eece6f2eaef2eab2583f666bb9

SHA256
69c597ac934919cd00053468c2c109a582e96d16ccd8e16bb5924784bbe340c6

SHA512
9bbb026aae6d47d59e96b6fcff1398014f2d72929bc13d0200e5952df173f1bb37ced3e84dc895ad6c468cfadc9849d0c7ea58c53ad1ffc372b0e0223f31f3a4

Download Submit
C:\Users\Admin\Downloads\mercurystealer.exe:Zone.Identifier

Filesize
60B

MD5
72d152337ada3cd4de71046121603956

SHA1
4c3a0e314956371545b16381d7ab0c724b98fc4c

SHA256
6aed784485fcfe3bcf95722bec81ee363188d5ac8af6c60895f3c8def3c70a6c

SHA512
a532f854bdad3d7214aa33c0de931e929852140b8098cf015d9d49f048b9efc32d9b91e50327dfbd9677c32c79de09c9279ba922118840087bbf6aa901b5affa

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1368-379-0x0000028FFE290000-0x0000028FFE2B2000-memory.dmp

Filesize
136KB

Download
memory/4196-442-0x000001E2AAA60000-0x000001E2AAA72000-memory.dmp

Filesize
72KB

Download
memory/4196-398-0x000001E2AA800000-0x000001E2AA876000-memory.dmp

Filesize
472KB

Download
memory/4196-402-0x000001E2AA780000-0x000001E2AA79E000-memory.dmp

Filesize
120KB

Download
memory/4196-399-0x000001E2AA7B0000-0x000001E2AA800000-memory.dmp

Filesize
320KB

Download
memory/4196-441-0x000001E2AAA30000-0x000001E2AAA3A000-memory.dmp

Filesize
40KB

Download
memory/4196-370-0x000001E2901A0000-0x000001E2901E0000-memory.dmp

Filesize
256KB

Download