Analysis

  • max time kernel
    223s
  • max time network
    206s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 16:24

General

  • Target

    Ember.zip

  • Size

    27.9MB

  • MD5

    2dbde3a13b7f9c8b84d2f186e53876cb

  • SHA1

    b18020197e0e49346566e9e8afd8b22b9898177e

  • SHA256

    fd6caab513f0f6e00c2aa125ec013395495c6e0eb53e9818182f37fa476d7e44

  • SHA512

    1309904a4a8f2fd4346c566d04339b540f1462e5f4b33d7a0cf94a9678b7bc003764f78a2fa78cbef95b12d11a89ff6f48bd47dabff1b801a67d17e18890882d

  • SSDEEP

    393216:KTM+AkKFTI2KF1M0FgVWFCkY1elhrhZGW026+BpQyocPNKNdI91DqRUAdP4KJaO3:xkK9IvC+gaC9ezrhZGWZlcQPNpWRA0ic

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 55 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 64 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Ember.zip
    1⤵
      PID:4868
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1216
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\System32\SearchProtocolHost.exe
          "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:4396
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 828 2316 2656 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
          2⤵
          • Modifies data under HKEY_USERS
          PID:1460
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 828 2700 2696 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
          2⤵
          • Modifies data under HKEY_USERS
          PID:4672
      • C:\Users\Admin\Downloads\Ember\certification.exe
        "C:\Users\Admin\Downloads\Ember\certification.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Users\Admin\AppData\Local\Temp\is-LMFH4.tmp\certification.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-LMFH4.tmp\certification.tmp" /SL5="$4021E,908493,832512,C:\Users\Admin\Downloads\Ember\certification.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\CA-INSTALL.bat""
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\SysWOW64\mode.com
              mode con lines=42 cols=60
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4724
            • C:\Windows\SysWOW64\regedit.exe
              regedit.exe /s .\CA-INSTALL.reg
              4⤵
              • System Location Discovery: System Language Discovery
              • Runs .reg file with regedit
              PID:896
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\0-Pikachu_Test_CA_RSA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3884
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\0-Pikachu_Test_CA_RSA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4844
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\0-Pikachu_Test_CA_RSA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:676
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\0-Pikachu_Test_CA_RSA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3988
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\0-Pikachu_Test_CA_RSA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:276
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\0-Pikachu_Test_CA_RSA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2952
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\2-Pikachu_Time_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4520
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\2-Pikachu_Time_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4228
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\2-Pikachu_Time_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3388
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\2-Pikachu_Time_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1124
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\2-Pikachu_Time_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:2888
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\2-Pikachu_Time_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2084
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\3-Pikachu_UEFI_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1856
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\3-Pikachu_UEFI_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1028
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\3-Pikachu_UEFI_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3704
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\3-Pikachu_UEFI_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4000
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\3-Pikachu_UEFI_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:2744
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\3-Pikachu_UEFI_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1148
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\4-Pikachu_Code_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3148
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\4-Pikachu_Code_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4988
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\4-Pikachu_Code_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4692
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\4-Pikachu_Code_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3760
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\4-Pikachu_Code_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1868
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\4-Pikachu_Code_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3212
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\5-Pikachu_mTLS_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3940
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\5-Pikachu_mTLS_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1992
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\5-Pikachu_mTLS_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:5044
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\5-Pikachu_mTLS_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1936
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\5-Pikachu_mTLS_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4688
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\5-Pikachu_mTLS_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2800
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\6-Pikachu_File_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1192
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\6-Pikachu_File_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:664
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\6-Pikachu_File_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4388
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\6-Pikachu_File_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3328
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\6-Pikachu_File_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1096
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\6-Pikachu_File_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3084
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\7-Pikachu_Mail_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1940
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\7-Pikachu_Mail_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2020
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\7-Pikachu_Mail_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:2320
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\7-Pikachu_Mail_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2776
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\7-Pikachu_Mail_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:5048
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\7-Pikachu_Mail_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3140
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\8-Pikachu_Sign_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4724
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\8-Pikachu_Sign_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:5008
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\8-Pikachu_Sign_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:4720
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\8-Pikachu_Sign_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2148
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\8-Pikachu_Sign_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3884
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\8-Pikachu_Sign_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2388
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\9-Pikachu_Auth_Sub_CA.crt -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:3988
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -add /all .\9-Pikachu_Auth_Sub_CA.crt -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2936
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\9-Pikachu_Auth_Sub_CA-G1.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:2784
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\9-Pikachu_Auth_Sub_CA-G1.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2952
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\9-Pikachu_Auth_Sub_CA-G2.crl -s -r localMachine AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              PID:1216
            • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe
              certmgr.exe -crl -add /all .\9-Pikachu_Auth_Sub_CA-G2.crl -s -r currentUser AuthRoot
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3460
      • C:\Users\Admin\Downloads\Ember\Ember.exe
        "C:\Users\Admin\Downloads\Ember\Ember.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1144
        • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
          "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Ember.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --mojo-named-platform-channel-pipe=1144.2220.8036945844932584924
          2⤵
          • Drops file in Windows directory
          • Enumerates system info in registry
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          PID:564
          • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
            "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x17c,0x180,0x184,0x158,0x18c,0x7fffdbc5b078,0x7fffdbc5b084,0x7fffdbc5b090
            3⤵
              PID:2576
            • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
              "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView" --webview-exe-name=Ember.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1744,i,7564335366479875852,10946630005906460062,262144 --variations-seed-version --mojo-platform-channel-handle=1740 /prefetch:2
              3⤵
                PID:2596
              • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView" --webview-exe-name=Ember.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=2028,i,7564335366479875852,10946630005906460062,262144 --variations-seed-version --mojo-platform-channel-handle=2040 /prefetch:11
                3⤵
                  PID:4864
                • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView" --webview-exe-name=Ember.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --always-read-main-dll --field-trial-handle=2300,i,7564335366479875852,10946630005906460062,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:13
                  3⤵
                    PID:2024
                  • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
                    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView" --webview-exe-name=Ember.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3584,i,7564335366479875852,10946630005906460062,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
                    3⤵
                      PID:2240

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\0-Pikachu_Test_CA_RSA-G1.crl

                  Filesize

                  1KB

                  MD5

                  51f968c58dcd358393ea98de5b0d340e

                  SHA1

                  2d5e59106848aaeddebff983bc2d87d7342e3569

                  SHA256

                  1c83c4b49a985ba87ba0cd1bd0d65db972f1f3ff5c4772744c16a093f7824ec5

                  SHA512

                  e898052a329c139e9b9218b895e6d99a4bc6f65565491cae53cc04d586ae3eb485e0998901eccb68235d7a66b247ea8799a26e732b7490ce9b10e199dc534d8a

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\0-Pikachu_Test_CA_RSA-G2.crl

                  Filesize

                  1KB

                  MD5

                  d4a7eae5025ab073e5e535b4a8bcaa2e

                  SHA1

                  dbb7c8dd2be56c88a1169a5e407600820e513806

                  SHA256

                  36b8078c525b816a47a9f711af22505c958dcd81786d93e67b5db2cfd2f7c4a2

                  SHA512

                  e760e0fd93fdececaa38c66909a4c601589abb556f9a3da9a089be2ac222b24368457c55ce16740ad21cf3be49e4526dd50a1173b1779b9bb833a37c8844af91

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\0-Pikachu_Test_CA_RSA.crt

                  Filesize

                  3KB

                  MD5

                  c6b82192e9f8fcf65608a1a5640f706b

                  SHA1

                  fe02e1682871948186ed5da1b88983781f23a1ad

                  SHA256

                  d49701e4f6b57229fe7623a7355ea1b2ac14ad3d5a387d30387a3a82e403553e

                  SHA512

                  ba70cb1a241975d2e552b6123fa7c6cb7b3fb781c0d34ad9bbc1e4aa3016e418cb9c783fcdb08a403a0b4f2a41cb5411120f3751c89b72bc651dd826c68c0108

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\2-Pikachu_Time_Sub_CA-G1.crl

                  Filesize

                  1KB

                  MD5

                  11193587d6c853afd46dee6835a55a6d

                  SHA1

                  0ac35d1218e05b9e81334c26208c25641ae696c2

                  SHA256

                  7a5fee4fa2cd2164250808dfb7b50cd8d8dad491051c944cd4b6d0902f59bb02

                  SHA512

                  1350f6ffdf412e081a2d2aabfb7a40f2c85194c3b0410d4d09f3ba87a10dafab161d5fc06e10e31349dde1c607cee2946e21ffa46e1414934bfae0b413a43de2

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\2-Pikachu_Time_Sub_CA-G2.crl

                  Filesize

                  1KB

                  MD5

                  aee260b1675e4e2c28eaa9d5ba8daa53

                  SHA1

                  bf280aa4dd63fc190986695ebb829024bd3b757b

                  SHA256

                  7373e065047c75f671fa75bac5a65e78fad71ecb59ff2cc7e1de89d4c7207884

                  SHA512

                  95242b95d2d17f3d53b3fb18db137700c65f9f500b67045c1a82ab678f77af5ceefc47946d51c673056191121d1619eb680b4d2d58f3e2e23e98558140c1a155

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\2-Pikachu_Time_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  b72a4912ef7da71988c96ac30632341b

                  SHA1

                  784bd9418e3dfebba8b046f2a4c9bce7bcf88f8c

                  SHA256

                  61f2dfbbf9fa960a11eebf27fe58f52aca0e8a1d9128149085b90563085ccc8b

                  SHA512

                  54ff0795afb7d14685693c8b380fa60be42e6ca6a7cb191947e514db9e8d68f65618e85bdc2313b2c5f3fa32631ecba640c8d51ed4354c267c747fc9212b3ff5

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\3-Pikachu_UEFI_Sub_CA-G1.crl

                  Filesize

                  1KB

                  MD5

                  dc344ace0a557cfce49549e25261badf

                  SHA1

                  4801d4f33f6d095b093fd1f884153afd40c6abb6

                  SHA256

                  c149784e78ad8ae0a07ebd30534e9ffe9d49a8ee46c95d93fd4e3b77b306bda9

                  SHA512

                  eec0fa6b15699d4574d870911825dd449bc5736486212e8986101c7413cc926de73ed501e5018b8ac26d4615733f1c12b0a4df17327961c75cbceab36d911754

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\3-Pikachu_UEFI_Sub_CA-G2.crl

                  Filesize

                  1KB

                  MD5

                  59d35523644e2a14a738bed66a39e97f

                  SHA1

                  6e6056d2fcf57e774f56e7a7d692c27368ce4749

                  SHA256

                  2cfe6dd78cf861f1dc72b117387d438f4f004ff6651a82395d1d09c2ed897f70

                  SHA512

                  66fff7d7e3914d65999ae5595278609f5393473f9c3706af7b1a4aa30bd6a6e7c48056ce77b8792f46b9a591e5185bb0471c13fd7222117d88afeb42d8de867b

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\3-Pikachu_UEFI_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  d3dc3379ff1079d6a11e2260006c5f17

                  SHA1

                  426d334270e0df9c2656682c780256bf47c67faf

                  SHA256

                  a8d93e544fd9f731efed42e9954d90035171b69e7471fd04548eeb305c448125

                  SHA512

                  ab21f0e3e5c263b773f81ee637619d00a56d097d36dcad738d9a69491dfdd7ffd71eac95ee21e68d4560084230d3d439d08ae280b8ce854fdea5e95364b0d1a6

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\4-Pikachu_Code_Sub_CA-G1.crl

                  Filesize

                  1KB

                  MD5

                  ed3cf6602db780e35db0810dcfa885c6

                  SHA1

                  b4315d22f02709a4c406f2b3113f7aa768a387bb

                  SHA256

                  673a1bd51ef1fd2e16c05c62ae41c9bc0bf8db1c84c0eb7ecea92854c86a8ab0

                  SHA512

                  3d89d358c1011a59df113d16bfb405a9a859771c3b7223d3ffffe26a7953866c4307077470acce36e1bb14bc9af4581367adf27a2771e32ff78154225a85477e

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\4-Pikachu_Code_Sub_CA-G2.crl

                  Filesize

                  1KB

                  MD5

                  3927baaa52959c42d853d3f4ee204e15

                  SHA1

                  704762fb21487fa39e1b0b48a3bf3da037647362

                  SHA256

                  8f05f78dda961567b1753731282257c538acab67d21c1aaa4bd33e175f52447c

                  SHA512

                  5b7ad2124c45e779dfce617827354a4cd7667349abd10212f3a38e703874394ea8a54d576e450b4021a28bc6b81fa396ab5e086e40ac0e9d6249d635aa8c8a6a

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\4-Pikachu_Code_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  707327f4a78be73a965183cf4615d645

                  SHA1

                  3045aab3e4f999bb3fe8680600f1222dc11732f8

                  SHA256

                  88301a4ff80d1b2e373eafffd02ba55112a633bcfac57e94cb635ad395a9dfdc

                  SHA512

                  4bdfddd50092ecc9535a4e0e1391c6af6cf23746b298b97d2219cb1608f9bb753616f67a62deae5bc63cc769f9f9fd10118e125c5a5f3c7ff1faa6391fe2095a

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\5-Pikachu_mTLS_Sub_CA-G1.crl

                  Filesize

                  1KB

                  MD5

                  48c74750e4b3f6e49888e537bb2c5538

                  SHA1

                  745f3f9a9640b3b3b2269b1753fe3ffaf00e4b71

                  SHA256

                  0392c9f8b264910d5fd99cb6ec2967aaa4586b04eff384e1e56a7db957193e14

                  SHA512

                  155af274284f313698adc048a0f4a70285760b9c674dd8e60031d5d7cf09d4b7fe3f12dcc6544763b6247e0785e6b9f8fe799834b1f2284d0f2e17fc3e04e35d

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\5-Pikachu_mTLS_Sub_CA-G2.crl

                  Filesize

                  1KB

                  MD5

                  c00785882c78f674df2a85f44352d015

                  SHA1

                  2b8f2711a8d4b2e507e0b80040da07e57ca7d7f7

                  SHA256

                  0b14275581a536205be342ca7bc90de86a3315978fcc0551e4776ab339d9a338

                  SHA512

                  8f548c63142181e52bc57cdf9d4d88c5e156761dd6d0a37d0506ea7c1d7761861718a2b4c7d82a788c8f464450bbdce46dd402ebdf96e7d278a687db9fd1a2d3

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\5-Pikachu_mTLS_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  10826a6d60e8a9787fdfaa0e669cbfbc

                  SHA1

                  6adb35296936ef99d5474a5aed26a4bc6ea4019b

                  SHA256

                  e3f0039003fded5d3f995db5b8fa1b6910b25f9dbc3b708485edc1223fcf85f3

                  SHA512

                  6208f606be44a2dcf26214c6a6af1f4281cf84df91fb90efbf8debec69ea571f48637c577f273f885559436117a036d9db4a8cadc227da9beaa0eca0a32d0209

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\6-Pikachu_File_Sub_CA-G1.crl

                  Filesize

                  1KB

                  MD5

                  d1353c89a816dc09376ad9a392827b8c

                  SHA1

                  435812dba88f088466c1e70aa870243de36040c5

                  SHA256

                  c2fde84fcbe78db47797da5ab3e0b0def7d6d1b1d43c326ccd7b90d8e98e2ad0

                  SHA512

                  f7a13d2ea45817cecaa1d711cd25dc3d4b1fedbd2cad38a6e89328836db208f86e28f6386e1c89f1672f371c5da793f68bc44d069f2bccfac50a2ce9c79f8838

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\6-Pikachu_File_Sub_CA-G2.crl

                  Filesize

                  1KB

                  MD5

                  9f920be53c25abcf3261185a0510057a

                  SHA1

                  b8526e4ba4afec4f5ee33d43d5f73dd9b46f8302

                  SHA256

                  fb3f0b78c9a22f27fe3937f13e7b493a260c7278c8edff671b0247ab3d8e0f61

                  SHA512

                  22332e25a5fd6699a1ea9b5dd4efc0ad34bc6860b292c77117ff0b071a8f3320e9dea8b3605016366116c03b9cda1b7830862b6b465097d1ecf744eaa091d871

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\6-Pikachu_File_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  06db713dd094255e5df7ef6706580872

                  SHA1

                  601919fa67d81de1eb1ab6a7737783c25217e458

                  SHA256

                  c1e13bee520d6b8d4148d1a32a081ae1e7f150c3461d592b74a207012a00ce34

                  SHA512

                  b03b5119e57e0510687e9e13f55cd286aef45ce5f08af9e17c4182cf95d404cb52aac9cd3ac12626e6946f6506b9a12334d615010178c445232e3b7fe8a2359e

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\7-Pikachu_Mail_Sub_CA.crt

                  Filesize

                  3KB

                  MD5

                  415d965a006b635d6ed84bfabc2fcc9e

                  SHA1

                  c48d9fc9b6f40d66bc8797ed64a3b396ebb7b5bc

                  SHA256

                  3e7ee6d2943525c718d85ac06e9e06d192d53ca90db6cb397e8f7ed289def5d7

                  SHA512

                  4bcae8b569e955514e39469fba375658ce82e8e66e7b463d135954ef6522db230b38461a5961ab3eced353f9f08bcbfd1bee28c6a696fe1ea104c5a14483cf07

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\CA-INSTALL.bat

                  Filesize

                  5KB

                  MD5

                  e851ac7cc3b812183bf9e00d3a9424c1

                  SHA1

                  88a950dfbb1bb6f62b086f9b3ef9ab69846975f3

                  SHA256

                  6044f5a93fd6ae24402738caaab8d433f52d9063a63547f94b1c5ae5aef934b4

                  SHA512

                  53f43c5bd6b890e2b16402e6d72c0948842e41de565c138ae9d20313bd8ca7bef8f17c86f2a8f356a87f20b321bd66525b9a82fa93b2b233c2e8d0e10c767b91

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\CA-INSTALL.reg

                  Filesize

                  39KB

                  MD5

                  2a166611d275607082a6d75039c4977e

                  SHA1

                  8d68e5708414db92b0395ad829016bf7ccb42123

                  SHA256

                  d9e860a805060b43214c594bcbad4fdcff7daeb810d003f77d4619b60c4372f1

                  SHA512

                  a19cd5ee6e7e261955fa5df29869a4737deb54b22146cf598407dca14026a5125481b227e3b260c14b763388393aac5b6e828f8dbca35f7f94a2335937c02ba6

                • C:\Program Files (x86)\Pikacu Test CA Truster\Scripts\Certmgr.exe

                  Filesize

                  79KB

                  MD5

                  322bf8029866cf3eb7f1de33f18fb07a

                  SHA1

                  65948959452d2fde1f3a3dcbb8e07c4224a3dd0b

                  SHA256

                  312da44e936c59872eecf0c057f2d21f92edfb2e712f646569513ee33be269b0

                  SHA512

                  c13f3373b142644c19971a2bbb9f019bdce21338e40e8edcb0cff643ea9883721bdfb48c3338b44fa87bc27b0756a0f3fca5381e255836f6a49260e638386498

                • C:\Users\Admin\AppData\Local\PeppermintInterface\Ember.exe_Url_qydckjnz1xvvzjmc0xrkf1ljl4t1ildf\1.0.0.0\cndxh33t.newcfg

                  Filesize

                  459B

                  MD5

                  c9ab0387514bc7daa2b6391d7b4bda1d

                  SHA1

                  1ef5e0ae332f9adda479bd84dfeeff7c86f98de3

                  SHA256

                  86c1921051f67b8d5414c9dda3cd4b6ff67b26f993c3503f546a66269cb70c68

                  SHA512

                  870c955e62d667cb73be37e20d6c106daa2ed2fd26f5a8f0c950fc1da2ca150e4d67b79bb102bc4fc8241c36bdac6ed09f2bf4fbe607b3b4c6ab3632ead914e8

                • C:\Users\Admin\AppData\Local\PeppermintInterface\Ember.exe_Url_qydckjnz1xvvzjmc0xrkf1ljl4t1ildf\1.0.0.0\user.config

                  Filesize

                  337B

                  MD5

                  668b0d95a2870e03873da0bc9a73747f

                  SHA1

                  c55862d7684dcf27a1e96e0869b9cf9d808c4b35

                  SHA256

                  e3f1efd055ec3014a5fdeb277b5ca8a3322b215cde27134204f0252812468a38

                  SHA512

                  a9319339cc6149a9870f47fd4bdfab77852b06af2ad32f96f5d442a1ee0a08649a4b20d3e2ede20121f60c1115acda5a4698a487f458cd928fcfb2e1025981d2

                • C:\Users\Admin\AppData\Local\Temp\is-2Q916.tmp\_isetup\_isdecmp.dll

                  Filesize

                  28KB

                  MD5

                  077cb4461a2767383b317eb0c50f5f13

                  SHA1

                  584e64f1d162398b7f377ce55a6b5740379c4282

                  SHA256

                  8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

                  SHA512

                  b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

                • C:\Users\Admin\AppData\Local\Temp\is-LMFH4.tmp\certification.tmp

                  Filesize

                  3.1MB

                  MD5

                  2f129949f1a82013642be1e44ec00cfc

                  SHA1

                  87f929752e4873b298f3e9c84521ce95cc8048b0

                  SHA256

                  9cbf6c1ddc60cf30d4a3e096373b605989a0f7d66a77ce5ea9fd5cdecf847878

                  SHA512

                  a12c5f5d251cb1fe75a23e85e94634d0c1feaf3e4534cddff9c608f875fcead14754d344d119fddb1bfaf8bc991e5e5f51487acc8e89587a919257544e8b7b37

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Crashpad\settings.dat

                  Filesize

                  280B

                  MD5

                  519401913b3514b1c05d2b07831fb5de

                  SHA1

                  bda15e625924c54b3d21f9147f46e655479c1a31

                  SHA256

                  c5bd86d4343a87afc4d3b2a24e7cabe1eb7b2a207f251dad00ee230030db813d

                  SHA512

                  2543799fb9e20f6d408e2d638fdfd350360ba71239771e6a7f3fbd8241fa0b7892572a8f6ec6413c3d840f3feb8f2d0dca806482c250a7e495aa2d82e7beb28b

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_0

                  Filesize

                  8KB

                  MD5

                  cf89d16bb9107c631daabf0c0ee58efb

                  SHA1

                  3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                  SHA256

                  d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                  SHA512

                  8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_1

                  Filesize

                  264KB

                  MD5

                  d0d388f3865d0523e451d6ba0be34cc4

                  SHA1

                  8571c6a52aacc2747c048e3419e5657b74612995

                  SHA256

                  902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                  SHA512

                  376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

                  Filesize

                  8KB

                  MD5

                  0962291d6d367570bee5454721c17e11

                  SHA1

                  59d10a893ef321a706a9255176761366115bedcb

                  SHA256

                  ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                  SHA512

                  f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_3

                  Filesize

                  8KB

                  MD5

                  41876349cb12d6db992f1309f22df3f0

                  SHA1

                  5cf26b3420fc0302cd0a71e8d029739b8765be27

                  SHA256

                  e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                  SHA512

                  e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\Extension Rules\MANIFEST-000001

                  Filesize

                  41B

                  MD5

                  5af87dfd673ba2115e2fcf5cfdb727ab

                  SHA1

                  d5b5bbf396dc291274584ef71f444f420b6056f1

                  SHA256

                  f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                  SHA512

                  de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports

                  Filesize

                  2B

                  MD5

                  d751713988987e9331980363e24189ce

                  SHA1

                  97d170e1550eee4afc0af065b78cda302a97674c

                  SHA256

                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                  SHA512

                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\Preferences

                  Filesize

                  6KB

                  MD5

                  cddc8907abc58c09d3092e0ed5e4208f

                  SHA1

                  dc7a695fd0c1b3cfbb7ca669e6733a9fa692b083

                  SHA256

                  5fdf8e16ca3ae5c08b43032fe91192eb8279eed0f96eda036fb74eda26b02f3e

                  SHA512

                  a5346f7e0a8999e96442a5ab40aade0d151f89f6b7fbe95066cef224f7d7627c247b54ba38dbd0618f2e160b062b8f06dee24c83a391de6a87bf39348290b03b

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Default\Sync Data\LevelDB\CURRENT

                  Filesize

                  16B

                  MD5

                  46295cac801e5d4857d09837238a6394

                  SHA1

                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                  SHA256

                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                  SHA512

                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State

                  Filesize

                  16KB

                  MD5

                  8c3c70aac594c1de9bccd8047a071af6

                  SHA1

                  223a5055f98a71c27fd862f9afd009b6ac592194

                  SHA256

                  dbdfdee3730c01360190d9562436bc71dd7b0d8fe929fe5d3e44c6ee27134297

                  SHA512

                  da081e9e7a10e2030cf716580141d9314a46395929edcf039deb03559de417ab672edf033a7e49bd89cfd6191800b230589fe183a4fb9723b5503f8a942b170c

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State

                  Filesize

                  16KB

                  MD5

                  c463f3fe31305928ce0bf8e220ac8f47

                  SHA1

                  e49fb0ea1e1ad13fce0674d9fcefa905c4d383af

                  SHA256

                  aad626f3f4fd099752116f25311f73b3e41e44e05f61caf64107d903aa209929

                  SHA512

                  a5c6c8d5c4618235495d92496758f877dc0b0ac9c91c5c029c7ff6db27d3b3504b47fa262b5a1c8952affbd581b5fdb2d543afb495ce08643078b6875e1d9d0a

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State

                  Filesize

                  1KB

                  MD5

                  be61f7781b75c4a77103105f5acf3c7c

                  SHA1

                  de930ed4c374c5d6fbfa221bf73c53ad5b936dee

                  SHA256

                  897dad7ab436ab057a288f5a48322765a43b4713d3cad64bf79ebbb6df3410a5

                  SHA512

                  d20f2838e2af67e4a0245ee8ff968965b655dd7a6728b52af8ebe3311e7519c52303c6bbf65e9edda4769be147ee312b13ff60741c3a7334716c89178502aa60

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State

                  Filesize

                  2KB

                  MD5

                  f9a847edb181cd55b180a3736a899439

                  SHA1

                  3764cff01e34a4efa0fe7edaf869f4a37d6377e8

                  SHA256

                  34c0bad24dbc93547195016a0b5184022ce2642811a0b931a65e7ac20b22552d

                  SHA512

                  36eeada9700b8d8b1530eb107b4c5742ac89086713750a2b0e2276477290713f86e391a23a67175448cf596dde961aa6f53615a2d3810fbc5da0b669d801ee9d

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State

                  Filesize

                  3KB

                  MD5

                  a3fc7cba852029c4985c3f7f44d8244e

                  SHA1

                  c7d80835e209dbcc102756e4638f173a415de3a1

                  SHA256

                  0bca71acd8bd2ce95ae51280f278dd9ead826ff5d91d277ff23d25bef8519f05

                  SHA512

                  c9c43ecf94e25ef137b45940526e9bdafd50c06ad316f9eeb0756f068f64f21ce2fe11cdd384a9869774c197459cc7740a9b2572e167436e3b92adb58ac32dd3

                • C:\Users\Admin\Downloads\Ember\Ember.exe.WebView2\EBWebView\Local State~RFe5a74a5.TMP

                  Filesize

                  1KB

                  MD5

                  2518955fa1e3ed913679651199eba7aa

                  SHA1

                  eccfcccd5919bef87de6e752a63b3ac5f068d5f0

                  SHA256

                  b934bd40c2ac48bc3b4162ca72ada8a19d79a868b172d40aaa4635dcd1d0bfd2

                  SHA512

                  fa18273af8016dc8159d3b7f44be79dd24c62bd381bd8d8833df84718019500d7e34c085b288e506aee664a4ceca36ec78921461999fbcfe10a7c52bad92e06c

                • memory/1144-293-0x0000000009EA0000-0x0000000009F52000-memory.dmp

                  Filesize

                  712KB

                • memory/1144-282-0x0000000000EA0000-0x00000000024EE000-memory.dmp

                  Filesize

                  22.3MB

                • memory/1144-457-0x00000000081A0000-0x00000000081AC000-memory.dmp

                  Filesize

                  48KB

                • memory/1144-319-0x000000000F0F0000-0x000000000F278000-memory.dmp

                  Filesize

                  1.5MB

                • memory/1144-298-0x000000000E960000-0x000000000ECB7000-memory.dmp

                  Filesize

                  3.3MB

                • memory/1144-297-0x000000000E920000-0x000000000E942000-memory.dmp

                  Filesize

                  136KB

                • memory/1144-289-0x0000000008E40000-0x0000000008E4E000-memory.dmp

                  Filesize

                  56KB

                • memory/1144-288-0x0000000008E80000-0x0000000008EB8000-memory.dmp

                  Filesize

                  224KB

                • memory/1144-287-0x0000000008CE0000-0x0000000008CE8000-memory.dmp

                  Filesize

                  32KB

                • memory/1144-286-0x0000000008DA0000-0x0000000008E3E000-memory.dmp

                  Filesize

                  632KB

                • memory/1144-285-0x0000000008D00000-0x0000000008D92000-memory.dmp

                  Filesize

                  584KB

                • memory/1144-284-0x0000000008C40000-0x0000000008C58000-memory.dmp

                  Filesize

                  96KB

                • memory/1144-283-0x0000000007160000-0x0000000007886000-memory.dmp

                  Filesize

                  7.1MB

                • memory/1460-57-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-48-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-60-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-61-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-58-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-46-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-56-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-55-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-54-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-53-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-52-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-51-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-38-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-50-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-49-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-65-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-66-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-59-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-67-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-62-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-64-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-63-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-45-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-44-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-43-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-42-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-41-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-40-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-47-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1460-39-0x0000013C50780000-0x0000013C50790000-memory.dmp

                  Filesize

                  64KB

                • memory/1872-0-0x000001AFF7FC0000-0x000001AFF7FD0000-memory.dmp

                  Filesize

                  64KB

                • memory/1872-36-0x000001AFF9880000-0x000001AFF9888000-memory.dmp

                  Filesize

                  32KB

                • memory/1872-32-0x000001AFF85B0000-0x000001AFF85B8000-memory.dmp

                  Filesize

                  32KB

                • memory/1872-16-0x000001AFF80D0000-0x000001AFF80E0000-memory.dmp

                  Filesize

                  64KB