umbral | hxxps://telegra[.]ph/HOLLOW-06-02-3

Analysis

max time kernel
569s
max time network
577s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://telegra.ph/HOLLOW-06-02-3

Score

10^/10

umbral discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/5004-722-0x000002ED2B030000-0x000002ED2B070000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4620	powershell.exe
3644	powershell.exe
5008	powershell.exe
4056	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
112	camo.githubusercontent.com
113	camo.githubusercontent.com
114	camo.githubusercontent.com
115	camo.githubusercontent.com
140	discord.com
111	camo.githubusercontent.com
116	camo.githubusercontent.com
117	camo.githubusercontent.com
141	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
138	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2876	cmd.exe
4904	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3532	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4904	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
516	msedge.exe
516	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
1544	msedge.exe
1544	msedge.exe
4620	powershell.exe
4620	powershell.exe
3644	powershell.exe
3644	powershell.exe
5008	powershell.exe
5008	powershell.exe
3968	powershell.exe
3968	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	lastloader.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	wmic.exe
Token: SeSecurityPrivilege	4676	wmic.exe
Token: SeTakeOwnershipPrivilege	4676	wmic.exe
Token: SeLoadDriverPrivilege	4676	wmic.exe
Token: SeSystemProfilePrivilege	4676	wmic.exe
Token: SeSystemtimePrivilege	4676	wmic.exe
Token: SeProfSingleProcessPrivilege	4676	wmic.exe
Token: SeIncBasePriorityPrivilege	4676	wmic.exe
Token: SeCreatePagefilePrivilege	4676	wmic.exe
Token: SeBackupPrivilege	4676	wmic.exe
Token: SeRestorePrivilege	4676	wmic.exe
Token: SeShutdownPrivilege	4676	wmic.exe
Token: SeDebugPrivilege	4676	wmic.exe
Token: SeSystemEnvironmentPrivilege	4676	wmic.exe
Token: SeRemoteShutdownPrivilege	4676	wmic.exe
Token: SeUndockPrivilege	4676	wmic.exe
Token: SeManageVolumePrivilege	4676	wmic.exe
Token: 33	4676	wmic.exe
Token: 34	4676	wmic.exe
Token: 35	4676	wmic.exe
Token: 36	4676	wmic.exe
Token: SeIncreaseQuotaPrivilege	4676	wmic.exe
Token: SeSecurityPrivilege	4676	wmic.exe
Token: SeTakeOwnershipPrivilege	4676	wmic.exe
Token: SeLoadDriverPrivilege	4676	wmic.exe
Token: SeSystemProfilePrivilege	4676	wmic.exe
Token: SeSystemtimePrivilege	4676	wmic.exe
Token: SeProfSingleProcessPrivilege	4676	wmic.exe
Token: SeIncBasePriorityPrivilege	4676	wmic.exe
Token: SeCreatePagefilePrivilege	4676	wmic.exe
Token: SeBackupPrivilege	4676	wmic.exe
Token: SeRestorePrivilege	4676	wmic.exe
Token: SeShutdownPrivilege	4676	wmic.exe
Token: SeDebugPrivilege	4676	wmic.exe
Token: SeSystemEnvironmentPrivilege	4676	wmic.exe
Token: SeRemoteShutdownPrivilege	4676	wmic.exe
Token: SeUndockPrivilege	4676	wmic.exe
Token: SeManageVolumePrivilege	4676	wmic.exe
Token: 33	4676	wmic.exe
Token: 34	4676	wmic.exe
Token: 35	4676	wmic.exe
Token: 36	4676	wmic.exe
Token: SeIncreaseQuotaPrivilege	5024	wmic.exe
Token: SeSecurityPrivilege	5024	wmic.exe
Token: SeTakeOwnershipPrivilege	5024	wmic.exe
Token: SeLoadDriverPrivilege	5024	wmic.exe
Token: SeSystemProfilePrivilege	5024	wmic.exe
Token: SeSystemtimePrivilege	5024	wmic.exe
Token: SeProfSingleProcessPrivilege	5024	wmic.exe
Token: SeIncBasePriorityPrivilege	5024	wmic.exe
Token: SeCreatePagefilePrivilege	5024	wmic.exe
Token: SeBackupPrivilege	5024	wmic.exe
Token: SeRestorePrivilege	5024	wmic.exe
Token: SeShutdownPrivilege	5024	wmic.exe
Token: SeDebugPrivilege	5024	wmic.exe
Token: SeSystemEnvironmentPrivilege	5024	wmic.exe
Token: SeRemoteShutdownPrivilege	5024	wmic.exe
Token: SeUndockPrivilege	5024	wmic.exe
Token: SeManageVolumePrivilege	5024	wmic.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
1244	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3820	516	msedge.exe	82
PID 516 wrote to memory of 3820	516	msedge.exe	82
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 4864	516	msedge.exe	83
PID 516 wrote to memory of 1700	516	msedge.exe	84
PID 516 wrote to memory of 1700	516	msedge.exe	84
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85
PID 516 wrote to memory of 928	516	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4344	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://telegra.ph/HOLLOW-06-02-3
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff952c546f8,0x7ff952c54708,0x7ff952c54718
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1184 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,15235053971654583938,6952145744672078112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3712
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\discordsniper.py
  2⤵
  PID:2500

C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\lastloader.exe
"C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\lastloader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\lastloader.exe"
  2⤵
  - Views/modifies file attributes
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\lastloader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3532
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\lastloader.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2876
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4904

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Discord-Nitro-Generator-main\Discord-Nitro-Generator-main\requirements.txt
1⤵
PID:4844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
20KB

MD5
7247e91eedf36d653790d6d0a1c8a4e7

SHA1
88281d63857f377a82426d9ab6963249c37443c7

SHA256
bd6e42e520f77a213daeee8749872b2ef6b220f7864e72c90f78fdb916861e5c

SHA512
7780717bfbb9661b6715f46c89b81e0241d2a7305893ffed317b0ad5ebf57548552b6ad11ce1518f6bf20aa5671bcacb77dbd86f9b484abe4b7dc2071c4c42a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c15e7fd87f8d3bb8ed427ca573c1cec1

SHA1
6de24f3b1dd768750c27fb40cfa001854d97a9d2

SHA256
62dbeb6e167df5c9572e1748bd0dc1d232f7df52279b4c7b427624669330681d

SHA512
f59decbfcf2817c8d4d6c8954c936565571093ac09be0db724aa0615d246b2ee464d43ec26d38ad0b7c3debc638bd31b59d987830c89d5d64648d714acc07843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
f9fc1f412e7688f1c74013b6e77d0ed9

SHA1
b056755ecd239e7c2fb56fe13f5be29756638734

SHA256
b4b57f02bc6a222d105cbd76c3b90012bc21b3732c2411c81d329657954db207

SHA512
0595bbd5c5bcfa996db8ef4864d8dfcd7a2bbbb6e264cdb202fd88bac34cba8235ea61cca7d350f2e09ef0ec9008308322efe318ebccb4845756302d2afd58b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cc318131240806f86002b226f16ce23e

SHA1
78fd48cf9a97787e0826a43d1374ea7c2ac34c23

SHA256
a4c636fdff2f5e9124afc4d9d21531ed9a31a13a8f9223d60f21e0ebea7ed8db

SHA512
95d9d106d7e844fcbfb754858d0e32bdd13972a343f819a70dec0a6b46686fe8f53ce96c33de142331a75b92a634ddf15170f458f905693d0b4b1e3485d008df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
d1106bba38da9359792c308f53bcf3ab

SHA1
dca259daf612d8c98286bcfefeb36e9644145535

SHA256
dcda3c5148612aee7c03e09ae02d0cbf658ae9d7a6c5b2fdd3457f877966df44

SHA512
741f618c88976326bb60310979eca6a1ee0ba16c7a804aa54add4edd585f2e1db59d7ea09a3984140522f407291f35bd83639555504bb30490878389de200e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
25KB

MD5
69e6ae0ded500f79d684f7156c9407de

SHA1
fa94d1452216c1d9bb9378716ab51d70c752a846

SHA256
87ebc267ae9cdb495322c3cf255a899251aec6954ff56dd7acd3a0d6b7882583

SHA512
a2b97154349f034835359480926f971800f90c4cf4172799b39ccf6f966fb76f4852678a14b054d3bb173c6d5aab82a996eeb9f9c002b05fe2ba3a22ed2eed5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
240B

MD5
4aea01b6a81e4d57f6e56b2407bb2550

SHA1
683786a97f1dffda09410c32f1ad5ec096576ab8

SHA256
1af514297aa682665d0a57a29cf7b1e4639e19c043fabc933af643ad71727d0d

SHA512
efbe333f8e6e07c1334e72a67b66a4a9211ba22f35fbde2d70668bf091d805ba9b0875cf07e21e4b74038d3a75f76b6122237d26cb3584643833ac59c26467eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48e9ff7eaa0824bdfb1cb8810b914ac7

SHA1
ce755f26f7a7e88ab17fb90a046f45f073fdd788

SHA256
d51009111feba9049fd8bb4c709dd9bf71abcad178d1bb9cd864176bcb270207

SHA512
43a4bf6d9bd4d3901db6408be12aab4b4d308d36b7bef1f8736a93410bbca15b5f2fba081852c530db287b8aef6a0c8679b38f3e22c4e2a31fab37433e210769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bb87de72e4d5693b5994ec860f0be943

SHA1
b6689ddf48eaa2e4dc25428c700ce4ad9455857f

SHA256
c02493f48d46a57cba61ba1904fe4c8189542577791a4703778476f26cefaf91

SHA512
f773747b2a2d7b73f5f402362d93298924c3f68877f6e1f5aa04173c67df56e81861a551d90b3c403325ad3c8fd5cfa6c2ea96892722c41b223b203531177184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cefd5d4dc99e5fc0899cf48aeaf56c69

SHA1
c3e1d9e016d1951fbdc8a83eafcae24db28fcd00

SHA256
6957f827ddc0edb8e94aca875fef0013793bc8fca1825821f1181d5f0b947307

SHA512
8370a465de05a2307c79fc8a57f7e716f962feecc676e68ecbd9e5ee40a5771df443f41e973adb7d06755ac758ee6017a9ad62364b3741da317bc4871f9c659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4b09d6e07fedb8ed44f7925affc2754

SHA1
2fae0d53598882eb3134599b9ea2ba63f5f9af84

SHA256
7b0e46628071d2fb86ed035686b654b56f89b4356fd4d3a03014c250d71d7015

SHA512
6e27304c59538fb018251297c005f1bd41836fa3e0289324cc47eca40491c9e66ff029442c3e8312785adb4501e4917aa9176e64841e4ba268fdb4f058b40193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60fd6d5b2b090ee0c238e48b3c1c1984

SHA1
227a9a7e2f2107fcc87ff5bc771b0017374e063f

SHA256
3e56cf037d9f070aa9d818b9db1816dd6f79728644eb73b441020ddd0e9de228

SHA512
6e8614c9141a644e0ea2f250009a06384ae652498fff6c0b634b7b3bb8d11455fc90feb90f8e86cf2c938f35d129fc0466fa8ab3a0af2c7dae723529f3fb2503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0d4d2a88d9279d94def28c76b37c475b

SHA1
0c2f12e78c67c06b6adcc242049f8bfb79e7e0b8

SHA256
e7da1e40e2d64ccf0eb9a730bfba08d747f5e33092ad1cbd85295fab7d42aec7

SHA512
8c33762d18f9e7012a584cf084824572457d22cffe869a6927ffab82961a664053a6239dc5d2c4deffcf1ed00bc8150121e264cd25162bc344f4f24624c7a10c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a611f4180b71364d5e37d96c5409ff4

SHA1
36df968615be699910f5c09e0324be09aad8d514

SHA256
601f766a0464a992f848e2cec733ef23c95cf8ea47924bfffafeafec2fe2bc7f

SHA512
bfd92d7ece1c5c41e6321187be5946d929e3328de008cd2d43a08d2ce7c266a90137d8bf7487a969d86de3c3cabdcde0d10c3c806022a18a8af9928a6e53c523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
f2bb2f6f02b3e21548849b93a4ab6233

SHA1
9fc9de7a13ca41553487d1419659681d63c2bcb2

SHA256
01415fc91669be50987d16bfaa47a0ea39fb664b7e4d0b3598c98ac29f01e023

SHA512
b2aa994c9164d85f5944a32167c9c2a19d9e2512ec79628f2e74a90d0e692b941df78a1ab0274a10c035198a61fd0617ebb8237cd16437085da13d98858b7a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba8e6d0cb47691b4d0cb2010ca92860d

SHA1
9ce7d5fcc152e13f80016fef4a052667de51688d

SHA256
90f191830ce28ec31433b4a8a1084c73c8761d2e3f9cb7e8a7ee6d27959dac7d

SHA512
815fa186fb5305bda7669f86c39e30a5ec9e6db645d4b30c9ce743444e86819fa8c43ffe04db7cbaf4b4a9727c995c31e6c019a56e29bb3941d8cfae31f5fa14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78e5595b59b389653e0c13158a7177ee

SHA1
a1f386fa706334d254140d1105c854964ce9d41f

SHA256
33c08b90154f8269ace0192e131710b937548305dec7d68b93d50f6bcbeeb6ca

SHA512
b5e1f9740a7221523878787c73aef9bc3d1abeddddf40a9da34ac567c17536b89afe06fb029447628a9d0d785973edf84b26e9c5da2ae27844ce4cdbbee31ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a78cd743d0ed68242f9b055b07a10f3

SHA1
0e69f9b3b44d44bfb71c8c6194f56f5ad4a018cc

SHA256
90c61bc3898dfe25a65599ca8e6ac80c0915c6dc89871108fc185def677c2600

SHA512
2711a2246c9b5c84c3b957d9375f9c3b9763f9594620175002d3d57c2afd91b060fe9a1a33027a98877941234c5f6320ebd3cd97de7580c1980e6c1abc68da6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
eafeee2e6e65ed4cf43102a29b52bf46

SHA1
2c5ed4a953b2843fdffa55a3f3db6bc7764d635c

SHA256
b0c15ec40ca28a8e58b353821773ed70d7c070667a73f80d4671fd003b80ca34

SHA512
8d7b17db8be13f6c18a2dfcc19a51198862d1fea6a9c4534799aeda18fa1ba30742e57296e08e54c29560933fa094cefbf54c7e13ea568a9153b2a1433f244be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51e6595eb0c322565f64ecc8e90163ae

SHA1
b281afef6bd15d1f23ccb69e18d72fe2f14e5abb

SHA256
cf93e21a68798979ced03b8862f4f33bb0a216c92bf9ed139922c3dec941f6e6

SHA512
05f191a3d1336940219e4b605e7e079f07f9e05d54b1532cf7a3eaee9d610f4d13215ef287a2e5808d887097fe8260762be6fe766ee36cea19f895b43b3e0aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b21672e5f5e03e49459e654cb440df49

SHA1
0c8ce33792c4e9972e13e39aa128f5671027c840

SHA256
de3916dee497d97e5cf050f7387575e87c93260bdefa43ff2cf337a23a6fe52d

SHA512
0e9936052245de719a8db90542da37311d0098368eadcd6fb8ce70383a012d9a5475bd4f59fdabffaaf2e85e9d9ab1692cab6cd274c2490cb1dcb23a70b05d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e51c7.TMP

Filesize
539B

MD5
5984810d8b07598cd70eed81a473c677

SHA1
8cad170f7c7387e7de55dcec234c7264e2a0f32a

SHA256
a8202bd04f43a746ccbd5a0c65feb565cad0899598287e9b9c868f4e3eef81ae

SHA512
de02239ee860a9a8c1baaa535c3fb559ea620659105e5afff6200b7911c7127cfd996d5970f6507bae4193ce0a8165f8d6fad90199a06f5ec5f1114a784fcba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7973b3e63339a9fff04cf2ce6ead0f1

SHA1
6e710062376258f751f2c7a79073c7027dc0016f

SHA256
11832725c48ec7209ff3f45d2b4a7db6b2e06893a36faac454dbfa09dbd3ad98

SHA512
143fee743bbbb22dd18332176133d3f1587b65d4e017ef92f5be70ebea0d023adcbde450be2d38ddbe083e02c616b66c7e6332e15d16b71acfaed9c5c26540bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5d28c00f9649fd7ef28ec2f03f44d09c

SHA1
b8df0708ab22bfcfcf162114f0e0742a5973ede6

SHA256
df1d5fb7fcc13ad811a99d62fdcc648e900b43d3ba86bf18c7f0dd69d50da163

SHA512
188cd68dab2dc0628102d588df45c5200556036aa678067dbdb2d558f307d5d95727a4e022d0f9e9696fd407f023bda5bd22651a371e4a9bef8b45fba095f9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b2f4519b71efd7ca198129fa41da3159

SHA1
d814fb63f2c6ebc94a132888e8208e43de4e567a

SHA256
9a6c5ddd081fcfb2ebaef57399217f13948390b5a3bbbd7cbd9dfb086add2e5f

SHA512
ac4bf34260c5a3d03a71152fc395626ace7b3c0cd63d99accb1dff3a9f6fc70a654d53f4a7d0e5d370eef042cac013688d4fb0209d4619d4c26520c81614973d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
264580e389b66cc25b8877ff6fbc629a

SHA1
104af404d58e0bed467b87a0b56cf421cb73c76b

SHA256
94f3f93a5ad4cc3b5ae421c956c67da853edef6c3dbc9b0e04a86f447885bf81

SHA512
b7c98990ec65f0357cb4baee5e8177b1645d70d23349d6c5d21a6229ec553d0eed01a93a352ee3e8b99c40f14bf2b76e1879c66878abdd4eb853c0eabd015b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvva2ydb.p5c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Discord-Nitro-Generator-main.zip

Filesize
95KB

MD5
4e3f8d26fc3212c1b27c2ea2398ad4ed

SHA1
7947db86702c322444b9aea4cfc8e4487b060328

SHA256
40f2d7e259e296a481821b01f9cbc4e8a9e5d2f75643669c9452afbbbe06558c

SHA512
d2cba9b229b488ead30631c0a5bfc6fbc5264366830fd39428338b37272f6718595d61e32545fd47d96035a602c61f6269c8fe9279838f631051936f7e26806c

Download Submit
memory/4620-728-0x0000022C36E10000-0x0000022C36E32000-memory.dmp

Filesize
136KB

Download
memory/5004-722-0x000002ED2B030000-0x000002ED2B070000-memory.dmp

Filesize
256KB

Download
memory/5004-752-0x000002ED45760000-0x000002ED4577E000-memory.dmp

Filesize
120KB

Download
memory/5004-750-0x000002ED45840000-0x000002ED45890000-memory.dmp

Filesize
320KB

Download
memory/5004-790-0x000002ED456F0000-0x000002ED456FA000-memory.dmp

Filesize
40KB

Download
memory/5004-791-0x000002ED45740000-0x000002ED45752000-memory.dmp

Filesize
72KB

Download
memory/5004-748-0x000002ED457C0000-0x000002ED45836000-memory.dmp

Filesize
472KB

Download