umbral | hxxps://limewire[.]com/d/3673a2a7-c328-4867-a177-574cc0df06a3#ineLbyoSRITCn0f8WlGUFqyokS-FNO1iMdpZnQgMZ_s

Analysis

max time kernel
29s
max time network
42s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-12-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://limewire.com/d/3673a2a7-c328-4867-a177-574cc0df06a3#ineLbyoSRITCn0f8WlGUFqyokS-FNO1iMdpZnQgMZ_s

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045299-510.dat	family_umbral
behavioral1/memory/5752-560-0x0000015008930000-0x0000015008970000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1172	powershell.exe
5716	powershell.exe
6116	powershell.exe
5284	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Generator1.exe

Executes dropped EXE 8 IoCs

pid	Process
5752	Generator1.exe
5900	Generator1.exe
5936	Generator1.exe
6048	Generator1.exe
6076	Generator1.exe
4604	Generator1.exe
4540	Generator1.exe
5368	Generator1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
105	discord.com
104	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\67fe24f6-92bd-406f-afbc-b185655e5738.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241227200510.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5408	cmd.exe
5520	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5980	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 545925.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\tFm0M.scr\:SmartScreen:$DATA	Generator1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5520	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
4336	msedge.exe
4336	msedge.exe
4612	identity_helper.exe
4612	identity_helper.exe
5336	msedge.exe
5336	msedge.exe
5972	wmic.exe
5972	wmic.exe
5972	wmic.exe
5972	wmic.exe
5752	Generator1.exe
5752	Generator1.exe
5284	powershell.exe
5284	powershell.exe
5284	powershell.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5752	Generator1.exe
Token: SeIncreaseQuotaPrivilege	5972	wmic.exe
Token: SeSecurityPrivilege	5972	wmic.exe
Token: SeTakeOwnershipPrivilege	5972	wmic.exe
Token: SeLoadDriverPrivilege	5972	wmic.exe
Token: SeSystemProfilePrivilege	5972	wmic.exe
Token: SeSystemtimePrivilege	5972	wmic.exe
Token: SeProfSingleProcessPrivilege	5972	wmic.exe
Token: SeIncBasePriorityPrivilege	5972	wmic.exe
Token: SeCreatePagefilePrivilege	5972	wmic.exe
Token: SeBackupPrivilege	5972	wmic.exe
Token: SeRestorePrivilege	5972	wmic.exe
Token: SeShutdownPrivilege	5972	wmic.exe
Token: SeDebugPrivilege	5972	wmic.exe
Token: SeSystemEnvironmentPrivilege	5972	wmic.exe
Token: SeRemoteShutdownPrivilege	5972	wmic.exe
Token: SeUndockPrivilege	5972	wmic.exe
Token: SeManageVolumePrivilege	5972	wmic.exe
Token: 33	5972	wmic.exe
Token: 34	5972	wmic.exe
Token: 35	5972	wmic.exe
Token: 36	5972	wmic.exe
Token: SeIncreaseQuotaPrivilege	5972	wmic.exe
Token: SeSecurityPrivilege	5972	wmic.exe
Token: SeTakeOwnershipPrivilege	5972	wmic.exe
Token: SeLoadDriverPrivilege	5972	wmic.exe
Token: SeSystemProfilePrivilege	5972	wmic.exe
Token: SeSystemtimePrivilege	5972	wmic.exe
Token: SeProfSingleProcessPrivilege	5972	wmic.exe
Token: SeIncBasePriorityPrivilege	5972	wmic.exe
Token: SeCreatePagefilePrivilege	5972	wmic.exe
Token: SeBackupPrivilege	5972	wmic.exe
Token: SeRestorePrivilege	5972	wmic.exe
Token: SeShutdownPrivilege	5972	wmic.exe
Token: SeDebugPrivilege	5972	wmic.exe
Token: SeSystemEnvironmentPrivilege	5972	wmic.exe
Token: SeRemoteShutdownPrivilege	5972	wmic.exe
Token: SeUndockPrivilege	5972	wmic.exe
Token: SeManageVolumePrivilege	5972	wmic.exe
Token: 33	5972	wmic.exe
Token: 34	5972	wmic.exe
Token: 35	5972	wmic.exe
Token: 36	5972	wmic.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeIncreaseQuotaPrivilege	5284	powershell.exe
Token: SeSecurityPrivilege	5284	powershell.exe
Token: SeTakeOwnershipPrivilege	5284	powershell.exe
Token: SeLoadDriverPrivilege	5284	powershell.exe
Token: SeSystemProfilePrivilege	5284	powershell.exe
Token: SeSystemtimePrivilege	5284	powershell.exe
Token: SeProfSingleProcessPrivilege	5284	powershell.exe
Token: SeIncBasePriorityPrivilege	5284	powershell.exe
Token: SeCreatePagefilePrivilege	5284	powershell.exe
Token: SeBackupPrivilege	5284	powershell.exe
Token: SeRestorePrivilege	5284	powershell.exe
Token: SeShutdownPrivilege	5284	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeSystemEnvironmentPrivilege	5284	powershell.exe
Token: SeRemoteShutdownPrivilege	5284	powershell.exe
Token: SeUndockPrivilege	5284	powershell.exe
Token: SeManageVolumePrivilege	5284	powershell.exe
Token: 33	5284	powershell.exe
Token: 34	5284	powershell.exe
Token: 35	5284	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 964	4336	msedge.exe	81
PID 4336 wrote to memory of 964	4336	msedge.exe	81
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 3408	4336	msedge.exe	82
PID 4336 wrote to memory of 4476	4336	msedge.exe	83
PID 4336 wrote to memory of 4476	4336	msedge.exe	83
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84
PID 4336 wrote to memory of 3896	4336	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6104	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://limewire.com/d/3673a2a7-c328-4867-a177-574cc0df06a3#ineLbyoSRITCn0f8WlGUFqyokS-FNO1iMdpZnQgMZ_s
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8f5ae46f8,0x7ff8f5ae4708,0x7ff8f5ae4718
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff64e2d5460,0x7ff64e2d5470,0x7ff64e2d5480
    3⤵
    PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:5624
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5752
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5972
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Generator1.exe"
    3⤵
    - Views/modifies file attributes
    PID:6104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Generator1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:6000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:5488
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5336
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6116
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5980
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Generator1.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5408
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5520
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:5900
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:5936
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:6048
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:6076
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Users\Admin\Downloads\Generator1.exe
  "C:\Users\Admin\Downloads\Generator1.exe"
  2⤵
  - Executes dropped EXE
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8014384058047796901,7564353244187005690,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
  2⤵
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Generator1.exe.log

Filesize
1KB

MD5
dcbdf62e96e679168e99bb26c3f28d37

SHA1
b4dd47ce9094a450cd6e03a2f1d61ea4c8b85208

SHA256
c44d43f12dedac8a011cf40417f28b4d7e0d961ac4503829f01891ce7212fa35

SHA512
679b07b35c90abdb029a202bb14c424d2497d1b8e99396d369629a066a3978e77c6257148a22c48abcbcb6370c722673d0cbb3d1fd33880fa32107d5a20869b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9fc751d5fa08ca574eba851a781b900

SHA1
963c71087bd9360fa4aa1f12e84128cd26597af4

SHA256
360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb

SHA512
ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d9a93ee5221bd6f61ae818935430ccac

SHA1
f35db7fca9a0204cefc2aef07558802de13f9424

SHA256
a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968

SHA512
b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f70be40225990ebd6c2ce4d984bba3a5

SHA1
2493a4d18248bd27cad366bf1a86bfd180522c77

SHA256
a159984034b2057d6bad72d77287b213bac77b21ec4e1c32642a215978291031

SHA512
5f74b46e506f6d04f75d716fa4fe3a8de0ebf267341132efcaa21714c37ee3029429c5caeed3814876b9b525e64ed366178127a848506e8176a591c91fcfd36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584c75.TMP

Filesize
48B

MD5
c8011872547c7688c9e1319843c385e5

SHA1
68e0135ecd11aaf5dc8145c0e8fc3c92cf0133cd

SHA256
34929e81e66ea57ccc44491e9249145d41c849cc6ed18258e51f8fef50bf17d8

SHA512
df0e017fa3574e8c1feea6c6ee876376ad7c66a9e768cf95fe36ce9b42021db133d103d5b6fc0534e51f71100e90a04655a74ecdfa6a1ece8b29abe9dc5588e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
437B

MD5
1b9d9eb46cb078d33c9c91a94cc70667

SHA1
b0dbed8f479d779afdf267b69491460d80ee6b66

SHA256
0fe853f0ad49a371bcc08f8bd9884db6e5fdd950c8bab55bb2dc678c97b2f69c

SHA512
887bbb812e86374268b8a43e26143ee4494917d33e237425483958ef4c79c4bbe7bd9eb9fb68852589648482d03f5edbe8ff7fd7cb6484e705045e6b1085f4dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd237d44b29931cf65c998d047bfedc5

SHA1
1077880766249c8a6db3aecf5c46b78e17c5481f

SHA256
167ce7f2b6b61f7bbc3ca62073267b6e423667539eb748224874bc981ae2a2ea

SHA512
7d83e810d33bd2ee35ee9154abe170d6a6b2b56a51c1e0a1de77fcf6aab47dc5e279595f85e13419a96ed81f661f7be03a8533c2174657217c49fc2d3683a07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc899be2e0f61bfa4558e7dd99b62730

SHA1
80116e69cd6faab9ce12b43afd571d3cd8a9cff6

SHA256
84b73103090b372cd2f4fa77680a73e8b46f1a4a6e569c61fb558acbf2e0b4b9

SHA512
caeb9ef69776d53cb6fe3c87e0136e4c93f64777e293bc70d0e994d27f9c80b9379f8c89ccdea7b363c44be13bdfbe378b4930a194e9554dd2aa9a73bf65e3e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d9de44a3871f20d860dbe69ef16415

SHA1
08cb3af423a61521e4035b4b61960f17932f0973

SHA256
2bcdcdee917bbf368f1ef8f808554d21bb536a86f51d6ca08eb13967db9be281

SHA512
730e2beb49c5899d6b94a5fb80c7d432dbe6610ddf09d761a2a86bdb4ae56216653f75e6b94a5add51687892f3e83cb0344a1803e5f1dd8a0dcd41f331ab4e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a37cc6e2ee25bc49401004bfbc2968a2

SHA1
f2f00085b880a0cd6b4fd26c9279c30d6137ec0c

SHA256
5c3ff616aa95ea0226098c028346dc5ccfba961d6846c323dc1ce835da41c760

SHA512
dcd59ce1a50e2993bd35bc289e753c4b010c21901f503b0d71c4cee77e24108171b840e182b722eecc2b207a8de276a2f27a98a731e55c8ea07ed5e04ac3740d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f9055ea0f42cb1609ff65d5be99750dc

SHA1
6f3a884d348e9f58271ddb0cdf4ee0e29becadd4

SHA256
1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348

SHA512
b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d3412a01d4c3df1df43f94ecd14a889a

SHA1
2900a987c87791c4b64d80e9ce8c8bd26b679c2f

SHA256
dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be

SHA512
7d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\db4125b5f40e60705005afe796cc0071c6f09794\a7500aae-7a06-4ad4-8c2e-332ebac996b1\index-dir\the-real-index

Filesize
48B

MD5
89aef67fc82e7009cf69431c43059a9a

SHA1
808a7616b6cd59abf9116314084a99c301bce974

SHA256
08e69365d86d6715d86939973a0c2c6bd3fa8c5f4587482906aa3d173c5bc7aa

SHA512
95e603b04d1acf20e6f6e9c3e0e393f82c972ea5410b0a2d7bb1d88b43ed40a763d83941831b1fa8d8d65d5d881d1ce990410edd70f48f31d1546630ee580853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\db4125b5f40e60705005afe796cc0071c6f09794\a7500aae-7a06-4ad4-8c2e-332ebac996b1\index-dir\the-real-index~RFe5843ea.TMP

Filesize
48B

MD5
bf6850452066d58580d3a15b8513ce52

SHA1
2a27414f72014d66d1d1ff3ab2c1016a040a6f11

SHA256
4d2eb8133a3f8208d7d76350ca051740c54d9f84c67f28555a26eb8bfac0edeb

SHA512
7e7617318b4027353ea6fcae185065c3f852707f4997a1d8e80caddd4916e9939e4879a706caec34862797364c956c28d498d85118371eb42584df2bbe4ef2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\db4125b5f40e60705005afe796cc0071c6f09794\index.txt

Filesize
84B

MD5
cddf396312ce021045dacf3721a9c487

SHA1
c9859e774dfa976ae5eadbb226917a54e4567ea8

SHA256
12097ac084f5e6a18ee0899aad491e728d1fc14584f7e7e169a2c034153f207f

SHA512
2ce869288fab1d776a4af16df10e5391171e5b42717aa5d72e54fdb5e0fd56ba2240ea06a200241a6d485ebb606cce51a33d2ea79ca43520e7a707315e31d9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\db4125b5f40e60705005afe796cc0071c6f09794\index.txt~RFe584419.TMP

Filesize
91B

MD5
50e7df767f0b7a4fba0ffec01d3674e2

SHA1
54f3c979d847974859d062a76f02bf16861d2a72

SHA256
983f059ee3245d86414653415d888ac9eb9b918050069eef9267f951369f4bd8

SHA512
e701b72fbc82e3ba3e3883e56c4421bd5784674abc5245237fbfff818046cdad59152c41aea5e1ae129d851873b0740e7d089bf4d980cba10aecf20f6b136f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
76bc1fbe100f1c445c5c59d1ce53acf2

SHA1
2307ee55c4162f81f318ac8f4fd0d492a3a6e4da

SHA256
a49190e1c47eff01a97485a59700369ec4772d1b9ff99abc3f18624df917edcc

SHA512
7f64ee8850e0f2d774108edb3579f50fa950a1aba7836271779c494a60ccdda312284ffdaa6e6fc85a460afb9aa7258b1f4a6fc18c9f1bad7fae2869ff9e0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5842d0.TMP

Filesize
48B

MD5
168a0e3a828a409ca721fc87a7b9107a

SHA1
99cfd7aa9c8b137b2c4f6afa346f9765755a54f4

SHA256
2710f5b6b156a4f339f180d93570a60ce419cf4f0b736faca7307c24a5c62519

SHA512
68f341cf795d10ba343321234cf94bf6f570c68ba4e44242e2f35db24bb722075d966de25e68021cc1847e7c2d41444360b6d794ffc2f94dd6f653ce6025ea4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1871a1df97d499153dd55c09a693ef3

SHA1
0c48d3dfb622e6c7ad6b225863008e08a0975bd1

SHA256
5dbb581e04a26d02910be47cdd2e8328f41d453e7e96350e50683a136c8b9998

SHA512
18d2bfa737046baad3ed7da5419432cb65f7c44c984cccd285cf1668d4e8679c72c2344c1309903ea83c0e2d9ddafccebb7a89339c622ea4400176d7baf8eaad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582083.TMP

Filesize
863B

MD5
407385d05d8ad6b225348b75025a32e2

SHA1
be10ec3471b8a9200c3e406e0172552d2183f592

SHA256
d905aa2de1b41e1b4433496e064418366a4c4e7ea304537ab78dad806fabb7d1

SHA512
10a9fbfb6a79c7c6a199b3e7a743be7db28fe0ba26456e44e55082f7198f920f9cb5c0be010f78eaa8d38ab07cc66db782be3da94196b2bad6d1f97e46881eb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4f5426d47ad9619630ca324ea09269a

SHA1
d26ef20779ffe180b30fc802ba5fcf5e6b64b44d

SHA256
bfa24c48122d939b01dfcaa9bbcd3a03d9ac17a0a34f8d168de6ecfac88eea5e

SHA512
02a9054a0f98d561fcc180e2c40bcf065c7311c17e007930e678a7edcebf57a92c5abb894b70a1dcddf64b7faba3acc44e142b74213273c3dbf048c66cec19d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
16359d43a3d3ee9b85c256c407b0dfb5

SHA1
06c1ee4bc927d677f5005e5f84e2d8aa42c22918

SHA256
fb61c2ba0b1828c61509238cd98c0083463a87be1cf35a2fa35b275b388792f7

SHA512
51232e14605739f7d5ac2e10a5bd5f1a036f670a8df86ab79dbe91d95e215f81893c34e2453f6dfc1ee8e85cda31a8cba2485298e6ad03d4534c94a0b2151ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
71a2894e51646537b85d31d6f7014625

SHA1
07d6e020c72cd94b2cbae2d5b8ac238278a56636

SHA256
0c817dae2699f50343c50134d08b44ada35abca654cc805403624dbd4d4fb4f5

SHA512
a4838e5d8704aab2653eafab26ef43ecded6b06b76000c2061e5b0347a3164619399bf3453f1fce2646a70fd7fb429477d31dfa01542d30ca57efe9084059b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d8f94078b03794541a0dccaa0bc81da

SHA1
19a772d67259dbcd44e844d174bab06b83b07f97

SHA256
7b27dd35c9555fa3f78d21574d3bfd0ea927ed34f1eef5dfaf74bd81093a7921

SHA512
647f00ae50857cc1f0f3ebd53f3a11e4b7e178b8803acef5b7b7f1cc3e245256cd40a1fbe7b95da920349fee49cf4363732e66b485ae06a41fa86c8eb985b876

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mo5javiw.uns.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
45aeaf7473c3917557ce581bdd1d7022

SHA1
9e069f2ef415b7a17613f674e1236a11e50fb967

SHA256
01a68d659cc733951829e0a9c4c8a6ddfbbc2e28cf8fc61c18f62aa054281aa1

SHA512
9a8401762f950b8c974229203d7b6b1f77077eabe3ad39cb7f8f019955d0a27ce45fcfbeabbcb9652d35521229e1607e8c36553fdc1c5319e71433d134b8055a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1b07aa51eb393a322423e615c5a1f20f

SHA1
3bb52295366fe97c49ea7dfba872850467cfb3ae

SHA256
e17bbe32838a759665a20bfe1eb03815acd5106116a5ea599b959162987a47d4

SHA512
a2195c743cfe1bd841253c5400b703f36d5daafca2995d988310aeab4ec381df4d2800db63dfa3dd3b3eac28a84d44f904aec1194f85ef14313a67b8a312a221

Download Submit
C:\Users\Admin\Downloads\Generator1.exe

Filesize
231KB

MD5
96cf6bb55d2a5a3f37e34e15b51c5753

SHA1
4ea65e62d33333dc1928e44932159324f0e44d2b

SHA256
eb04c19fdc998eeb6b5bcfdb02c493af1fcdb368d8ca7425f8edbf47822a59d6

SHA512
b7e2aebd8bb4e546ce60423681b3f63e21acb4a6c67ec6fbdeb2ac3af69ca368e4722009222083fef1074ab675792ccf8be3ec96593aed5543a10c452d68892e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/5284-568-0x00000181C2280000-0x00000181C22A2000-memory.dmp

Filesize
136KB

Download
memory/5752-653-0x00000150230F0000-0x00000150230FA000-memory.dmp

Filesize
40KB

Download
memory/5752-654-0x0000015023120000-0x0000015023132000-memory.dmp

Filesize
72KB

Download
memory/5752-560-0x0000015008930000-0x0000015008970000-memory.dmp

Filesize
256KB

Download
memory/5752-597-0x0000015023000000-0x0000015023050000-memory.dmp

Filesize
320KB

Download
memory/5752-596-0x0000015023050000-0x00000150230C6000-memory.dmp

Filesize
472KB

Download
memory/5752-600-0x0000015022FD0000-0x0000015022FEE000-memory.dmp

Filesize
120KB

Download