Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://uploadnow.io...

windows11-21h2-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    55s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/01/2025, 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://uploadnow.io/en/share?utm_source=2rnBsBk

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://uploadnow.io/en/share?utm_source=2rnBsBk
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f42c3cb8,0x7ff8f42c3cc8,0x7ff8f42c3cd8
      2⤵
        PID:428
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
        2⤵
          PID:332
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
          2⤵
            PID:2756
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
            2⤵
              PID:1132
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
              2⤵
                PID:3768
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
                2⤵
                  PID:4916
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
                  2⤵
                    PID:2136
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
                    2⤵
                      PID:2396
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                      2⤵
                        PID:2616
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                        2⤵
                          PID:1484
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3816
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
                          2⤵
                            PID:1348
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                            2⤵
                              PID:3316
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
                              2⤵
                                PID:2432
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
                                2⤵
                                  PID:4056
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
                                  2⤵
                                    PID:3404
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3500
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,11359797503269153298,13093557448382102327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
                                    2⤵
                                    • NTFS ADS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1848
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1464
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4912
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:2616
                                      • C:\Users\Admin\AppData\Local\Temp\Temp1_Slinky.zip\Slinky\load.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Temp1_Slinky.zip\Slinky\load.exe"
                                        1⤵
                                          PID:4692
                                          • C:\Users\Admin\AppData\Local\Temp\Slinky Injector.exe
                                            "C:\Users\Admin\AppData\Local\Temp\Slinky Injector.exe"
                                            2⤵
                                            • Drops file in Drivers directory
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2252
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic.exe" csproduct get uuid
                                              3⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2312
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Slinky Injector.exe'
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4232
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2112
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5068
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4484
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic.exe" os get Caption
                                              3⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:464
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic.exe" computersystem get totalphysicalmemory
                                              3⤵
                                                PID:3916
                                              • C:\Windows\System32\Wbem\wmic.exe
                                                "wmic.exe" csproduct get uuid
                                                3⤵
                                                  PID:1400
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                  3⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3744
                                                • C:\Windows\System32\Wbem\wmic.exe
                                                  "wmic" path win32_VideoController get name
                                                  3⤵
                                                  • Detects videocard installed
                                                  PID:1588
                                              • C:\Users\Admin\AppData\Local\Temp\load.exe
                                                "C:\Users\Admin\AppData\Local\Temp\load.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3976

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                              Filesize

                                              2KB

                                              MD5

                                              627073ee3ca9676911bee35548eff2b8

                                              SHA1

                                              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                              SHA256

                                              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                              SHA512

                                              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              c0a1774f8079fe496e694f35dfdcf8bc

                                              SHA1

                                              da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                                              SHA256

                                              c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                                              SHA512

                                              60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              e11c77d0fa99af6b1b282a22dcb1cf4a

                                              SHA1

                                              2593a41a6a63143d837700d01aa27b1817d17a4d

                                              SHA256

                                              d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                                              SHA512

                                              c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                              Filesize

                                              1KB

                                              MD5

                                              48d41e724758c185a82870ab10f40adf

                                              SHA1

                                              51fe957d6f3082c978ce6a3ddd9dabd16fe1cd71

                                              SHA256

                                              6161530352a1d4e318def7eb70990ed855e764e27540005eb5f94f39a1b5bf43

                                              SHA512

                                              ee0ac71687b0f4dab1a64b64c4ef52118d74b4dabd4eabc371355365b9b9ec439e71ef683c8c83f0b16c48379d5ed23264d77dfac4450b49bbf851e0adfa2e1e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
                                              Filesize

                                              2KB

                                              MD5

                                              72af01c6e9db991420026f70b56af7ea

                                              SHA1

                                              1b0fb65e6d67dbbffd76724bdbf8da743e6105a6

                                              SHA256

                                              34bc5d4074a2af51247b50041594d4e177c1e1c839014bfd18d1addf49703a1f

                                              SHA512

                                              9ce07a2e40aa5667fe90f7419cb2b6519a867a5fe8b9dea8e541e6ca4e5492553a833aac1ae8358d3f741146ca20cdccd62ad17ba3e0c3b700ba27feaacb68be

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              7998ca3ffe46a5928ddd238c39d1d00d

                                              SHA1

                                              287e4bc7ecefae09416dba22851aac46a27b941a

                                              SHA256

                                              093d4a175b2933b7c33b018b51cf509ec82f83cf5f255d5a20c39018cd2dec28

                                              SHA512

                                              d3c7a26ae587e6ee4e17d82d9580e0725c572470a33fc929947a6469363ff49606d658bc3d786ebfe32123e43815baae11d408cdd7e8a86d635ecc12603625e4

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              5KB

                                              MD5

                                              261e5261e24acc4a2d5e09be7242617c

                                              SHA1

                                              a5bd482c97b1c111c59a46b7c54ff90e20adfffa

                                              SHA256

                                              d0f8eda07b600965d7533e28a951123759dacccabe79ffbe0620d6d419f6aaee

                                              SHA512

                                              51094ba7c19fa29c5dfa865c7800c20ebd35d2100494e0f1b9635d537c58bb2520ce07dfcba1a7c293b12e4d0e7c3bf763ba9aa1db4556119061363cfd1ba87f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              10KB

                                              MD5

                                              cc88de0b42ffd3d52b8cf79dfae461f3

                                              SHA1

                                              a6862224e6bc2885917a4a04cbb2e1ec80aa8c7a

                                              SHA256

                                              6aad5dedec6b2428c10fcdb291d5f192ba85849794c44e1e5efff2d90c0b2bcf

                                              SHA512

                                              48d053c2e9349f084a7f85cb64e1cfeffef9df7cc74a22bed288ef882022fe103481f22eb546ba1f99d2efd542e1f982fdf06ed78ccd10deb696cb931d40e964

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              10KB

                                              MD5

                                              02427ca6ae6dd544c463be4f37f96a31

                                              SHA1

                                              e08e543a677f116c88a99ab1fd0c139d8813bb42

                                              SHA256

                                              220397ded375aff9765fbec08b7253934cb9dfe5ca0359b9d31637d901dbcd2d

                                              SHA512

                                              5833f495e05a181235d8f268a93e543498902b20526bcf56e8b2c07fad386625d562fda706d8a1a4ec02f9f996dcac2ef0d2a5dc0e4ee331be1dd1980008cea0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              944B

                                              MD5

                                              d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                                              SHA1

                                              fed70ce7834c3b97edbd078eccda1e5effa527cd

                                              SHA256

                                              21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                                              SHA512

                                              1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              948B

                                              MD5

                                              441a842138038e6385e430a90d7ea608

                                              SHA1

                                              7b3712d2cdd37e10ee9b3994131ee5175e920f01

                                              SHA256

                                              47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

                                              SHA512

                                              9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              1KB

                                              MD5

                                              0ac871344dc49ae49f13f0f88acb4868

                                              SHA1

                                              5a073862375c7e79255bb0eab32c635b57a77f98

                                              SHA256

                                              688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

                                              SHA512

                                              ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                              Filesize

                                              1KB

                                              MD5

                                              201a02fbba615c7b8004d14ada483d3e

                                              SHA1

                                              69fb4cb79c38c6755799e65d5752cc2a4e1a86f0

                                              SHA256

                                              b4c033fe3444f280ee37a23116bf174edf584fc20a2805a04de181c2a87da6bd

                                              SHA512

                                              6c8bbe9a3fc356637ad4c4cf7e73898be2c33723c3108919e86471bf6fcae12d4dcb6e7a532ca2baec980044fba504ee48de7c036f171b3fe655db06a52c7676

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\Slinky Injector.exe
                                              Filesize

                                              228KB

                                              MD5

                                              22c66a144f89f219d9f7bef81578dd48

                                              SHA1

                                              ad7235aadd9583fd423a5f36a5c65a6213d23fff

                                              SHA256

                                              9c1f1a7105e258fc4b5df94ba02bd41ddbe55bc82c88cd718fa5b2fac5969f00

                                              SHA512

                                              78316d05a92f3c4d9be0f18d1bbc86529961917d83cb00de36a396e96b2357564e354e9cfdc364f08d7e96bdd8602296e6df6eb0d2ea21029c7a45e116edb7a0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfik1pfd.nqf.ps1
                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\load.exe
                                              Filesize

                                              18.4MB

                                              MD5

                                              38019371c7cfc54d0c08629da0384a1f

                                              SHA1

                                              87509b8aa5549f22b53362588c624b010cfa5b26

                                              SHA256

                                              d4f6bfde46ea2394570619fa89f8cdc8ac00b297179fe8831558530ec48492f1

                                              SHA512

                                              75f204fa1be253a68678ec7a6637a8db1b02346fb429365500427e493fd0c2b2d2b24a4ae30de3f777c239af507c141f979b6012c8b394f663d073f2850d682d

                                              Download Submit

                                            • C:\Users\Admin\Downloads\Slinky.zip:Zone.Identifier
                                              Filesize

                                              26B

                                              MD5

                                              fbccf14d504b7b2dbcb5a5bda75bd93b

                                              SHA1

                                              d59fc84cdd5217c6cf74785703655f78da6b582b

                                              SHA256

                                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                              SHA512

                                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                              Download Submit

                                            • C:\Users\Admin\Downloads\f00324e6-4f79-4ace-a571-bfcb8312ec96.tmp
                                              Filesize

                                              35.0MB

                                              MD5

                                              2ebeee6fab83ed93c1af34b338ec36db

                                              SHA1

                                              29b46eff62da60d049746509cc426e2fb68e23ca

                                              SHA256

                                              4edd9310f1c4ae4349f5f46aa3e1052e54d2085c3895c43a9ce83375ac14d09e

                                              SHA512

                                              d1dba23870e080dbef88197d7ed4c67c53ead491dd1f3158335c0aff4bfb61748c314b470ad6de41c5737eb56c261a10b0c39c6471ad7718dd2faef26c951763

                                              Download Submit

                                            • C:\Windows\system32\drivers\etc\hosts
                                              Filesize

                                              2KB

                                              MD5

                                              4028457913f9d08b06137643fe3e01bc

                                              SHA1

                                              a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                              SHA256

                                              289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                              SHA512

                                              c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                              Download Submit

                                            • memory/2112-334-0x000001F2EADF0000-0x000001F2EAE0A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/2252-378-0x00000296D94F0000-0x00000296D94FA000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/2252-337-0x00000296D9510000-0x00000296D9586000-memory.dmp

                                              Filesize

                                              472KB

                                              Download

                                            • memory/2252-339-0x00000296D9490000-0x00000296D94E0000-memory.dmp

                                              Filesize

                                              320KB

                                              Download

                                            • memory/2252-341-0x00000296D95B0000-0x00000296D95CE000-memory.dmp

                                              Filesize

                                              120KB

                                              Download

                                            • memory/2252-299-0x00000296BED10000-0x00000296BED50000-memory.dmp

                                              Filesize

                                              256KB

                                              Download

                                            • memory/2252-379-0x00000296D95D0000-0x00000296D95E2000-memory.dmp

                                              Filesize

                                              72KB

                                              Download

                                            • memory/2252-399-0x00000296D91E0000-0x00000296D9206000-memory.dmp

                                              Filesize

                                              152KB

                                              Download

                                            • memory/3744-393-0x000001FD1DCF0000-0x000001FD1DD0A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/4232-322-0x00000189F9B60000-0x00000189F9B7A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/4232-311-0x00000189F9B90000-0x00000189F9BB2000-memory.dmp

                                              Filesize

                                              136KB

                                              Download

                                            • memory/4484-375-0x00000254AFEF0000-0x00000254AFF0A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/4692-287-0x0000000000D70000-0x0000000001F0E000-memory.dmp

                                              Filesize

                                              17.6MB

                                              Download

                                            • memory/5068-364-0x00000234B5230000-0x00000234B524A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download