umbral | hxxps://github[.]com/hummids/duper/blob/main/mm2%20duper[.]exe

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/hummids/duper/blob/main/mm2%20duper.exe

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234de-173.dat	family_umbral
behavioral1/memory/1916-220-0x00000257CFD40000-0x00000257CFD80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5184	powershell.exe
5928	powershell.exe
5352	powershell.exe
5596	powershell.exe
5172	powershell.exe
556	powershell.exe
5236	powershell.exe
5644	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	mm2 duper.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	mm2 duper.exe

Executes dropped EXE 8 IoCs

pid	Process
1916	mm2 duper.exe
6120	mm2 duper.exe
5472	mm2 duper.exe
5516	mm2 duper.exe
5376	mm2 duper.exe
5712	mm2 duper.exe
5640	mm2 duper.exe
5880	mm2 duper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ip-api.com
81	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5448	PING.EXE
5496	cmd.exe
5552	PING.EXE
5452	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5184	wmic.exe
5324	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 612041.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ERUOF.scr\:SmartScreen:$DATA	mm2 duper.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\sX76b.scr\:SmartScreen:$DATA	mm2 duper.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5552	PING.EXE
5448	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
1688	msedge.exe
1688	msedge.exe
1908	identity_helper.exe
1908	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
1916	mm2 duper.exe
1916	mm2 duper.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
5352	powershell.exe
5352	powershell.exe
5352	powershell.exe
5596	powershell.exe
5596	powershell.exe
5596	powershell.exe
5792	powershell.exe
5792	powershell.exe
5792	powershell.exe
5172	powershell.exe
5172	powershell.exe
5172	powershell.exe
5712	mm2 duper.exe
5712	mm2 duper.exe
5928	powershell.exe
5928	powershell.exe
5928	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
5236	powershell.exe
5236	powershell.exe
5236	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
5644	powershell.exe
5644	powershell.exe
5644	powershell.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	mm2 duper.exe
Token: SeIncreaseQuotaPrivilege	2108	wmic.exe
Token: SeSecurityPrivilege	2108	wmic.exe
Token: SeTakeOwnershipPrivilege	2108	wmic.exe
Token: SeLoadDriverPrivilege	2108	wmic.exe
Token: SeSystemProfilePrivilege	2108	wmic.exe
Token: SeSystemtimePrivilege	2108	wmic.exe
Token: SeProfSingleProcessPrivilege	2108	wmic.exe
Token: SeIncBasePriorityPrivilege	2108	wmic.exe
Token: SeCreatePagefilePrivilege	2108	wmic.exe
Token: SeBackupPrivilege	2108	wmic.exe
Token: SeRestorePrivilege	2108	wmic.exe
Token: SeShutdownPrivilege	2108	wmic.exe
Token: SeDebugPrivilege	2108	wmic.exe
Token: SeSystemEnvironmentPrivilege	2108	wmic.exe
Token: SeRemoteShutdownPrivilege	2108	wmic.exe
Token: SeUndockPrivilege	2108	wmic.exe
Token: SeManageVolumePrivilege	2108	wmic.exe
Token: 33	2108	wmic.exe
Token: 34	2108	wmic.exe
Token: 35	2108	wmic.exe
Token: 36	2108	wmic.exe
Token: SeIncreaseQuotaPrivilege	2108	wmic.exe
Token: SeSecurityPrivilege	2108	wmic.exe
Token: SeTakeOwnershipPrivilege	2108	wmic.exe
Token: SeLoadDriverPrivilege	2108	wmic.exe
Token: SeSystemProfilePrivilege	2108	wmic.exe
Token: SeSystemtimePrivilege	2108	wmic.exe
Token: SeProfSingleProcessPrivilege	2108	wmic.exe
Token: SeIncBasePriorityPrivilege	2108	wmic.exe
Token: SeCreatePagefilePrivilege	2108	wmic.exe
Token: SeBackupPrivilege	2108	wmic.exe
Token: SeRestorePrivilege	2108	wmic.exe
Token: SeShutdownPrivilege	2108	wmic.exe
Token: SeDebugPrivilege	2108	wmic.exe
Token: SeSystemEnvironmentPrivilege	2108	wmic.exe
Token: SeRemoteShutdownPrivilege	2108	wmic.exe
Token: SeUndockPrivilege	2108	wmic.exe
Token: SeManageVolumePrivilege	2108	wmic.exe
Token: 33	2108	wmic.exe
Token: 34	2108	wmic.exe
Token: 35	2108	wmic.exe
Token: 36	2108	wmic.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	5352	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	5792	powershell.exe
Token: SeIncreaseQuotaPrivilege	5972	wmic.exe
Token: SeSecurityPrivilege	5972	wmic.exe
Token: SeTakeOwnershipPrivilege	5972	wmic.exe
Token: SeLoadDriverPrivilege	5972	wmic.exe
Token: SeSystemProfilePrivilege	5972	wmic.exe
Token: SeSystemtimePrivilege	5972	wmic.exe
Token: SeProfSingleProcessPrivilege	5972	wmic.exe
Token: SeIncBasePriorityPrivilege	5972	wmic.exe
Token: SeCreatePagefilePrivilege	5972	wmic.exe
Token: SeBackupPrivilege	5972	wmic.exe
Token: SeRestorePrivilege	5972	wmic.exe
Token: SeShutdownPrivilege	5972	wmic.exe
Token: SeDebugPrivilege	5972	wmic.exe
Token: SeSystemEnvironmentPrivilege	5972	wmic.exe
Token: SeRemoteShutdownPrivilege	5972	wmic.exe
Token: SeUndockPrivilege	5972	wmic.exe
Token: SeManageVolumePrivilege	5972	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe
5800	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1432	1688	msedge.exe	84
PID 1688 wrote to memory of 1432	1688	msedge.exe	84
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3948	1688	msedge.exe	85
PID 1688 wrote to memory of 3616	1688	msedge.exe	86
PID 1688 wrote to memory of 3616	1688	msedge.exe	86
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87
PID 1688 wrote to memory of 3584	1688	msedge.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5136	attrib.exe
5852	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/hummids/duper/blob/main/mm2%20duper.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff807f246f8,0x7ff807f24708,0x7ff807f24718
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\mm2 duper.exe"
    3⤵
    - Views/modifies file attributes
    PID:5136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\mm2 duper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5792
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5972
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:6064
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5172
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5184
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\mm2 duper.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5496
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5552
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:6120
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:5472
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:5516
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:5376
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5616
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\mm2 duper.exe"
    3⤵
    - Views/modifies file attributes
    PID:5852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\mm2 duper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5464
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:6000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:6016
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5644
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\mm2 duper.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5452
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5448
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:5640
- C:\Users\Admin\Downloads\mm2 duper.exe
  "C:\Users\Admin\Downloads\mm2 duper.exe"
  2⤵
  - Executes dropped EXE
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8749553006951986977,16703421144536812751,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
  2⤵
  PID:2684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5800

C:\Windows\System32\0zy1bv.exe
"C:\Windows\System32\0zy1bv.exe"
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mm2 duper.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
59a0ebf9df3b17e1122d59a00c2c905f

SHA1
41917ee81ee426908935814749cae5f55bb7ee68

SHA256
8568a4a015e92709f9dad6d82469682c609322b38d4bb32b498c01d04364a645

SHA512
37e3903358c1f5eaa6056c307b5ad86146bfcba164d6d1519186cae65f1663eef6d4b6728c800ddf8300a707097ddac717ee1cbb1941c5355315c88cf40ac79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
f03b4e00d9bc89ba6791d356e0f82c7a

SHA1
ee1629aa1962dba8de1396dad6f9a043ec74340a

SHA256
66062fe1718bc56dd10a253452733c485d0b4f536dfa5d2667a855871d4b92df

SHA512
c9626ff2980e140717e7e6d627147401f883ab7ef8e0b4aaced82f8b03136069668bfd69c6988025ae4776ef65ad5b1774050294dd64fba17c27459905d6a74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
3be27eb1a8f16c2eca2bcd44d321f2b3

SHA1
03482dc29deb6d87e4790c429b15282c6230aa15

SHA256
f9d4b93f494ff1b75b6f321f5e209cbb390d65f025084ac3b232b0da74fb5159

SHA512
994c26cdab8358344912e7ffe489aee8a18ffa58007a5dc05e1dc6d05678d558ad8fed36827a783742bb6cf0e2199c0d14fff1808d32d5d78ec42baa180d1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b39b5a125bca0e8ee37faf430a99a6c

SHA1
23ef36cfab5b8ae43a3850b46b358159f9829373

SHA256
14d8c372ea075c0d399683cd7c045c7f52cf20d3720183ea770ad4c1cf16722d

SHA512
071b67e39ac576c202c527132911b64be9e8500acccd4f8f9f5cf70c42515c86c268d0116a70b3bb7d58c776d3bfdf0082dceea83cd2cc21d39ae727236668cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24d83c8cdb65c6e20f6ddb6e40c7c678

SHA1
490ea61154fdd7cbb70d89826805a54917cd44e2

SHA256
0d1b6b4973bd7fa2566163f57f8ff241d34cb3d1370aa2511c69b48a62dad89b

SHA512
821ab4996b8b4cfea4e5ff6df519ccbcef155fa97cde00d7c1d5127b8230f2bc4422fab068ce71bdf74ef4251e6b36a43304639d626e0733ee9c82da2776dcd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42509c5cfeb3476d1c6a8f6497a56610

SHA1
9f9471c8a5e197cb8d148cb278619d36b301fc5c

SHA256
4d1caeb5d173b12265b44abccc71f582a185886cd3d2f5e84bc52f7a1186dab2

SHA512
b0f1d485f7ec3e94aa77014ba104bf8fac6f4c890b37ca1b3a7a863073234865534d4d5b399ccad607d06c5bfa31505820a172e027c05ff5ee556e85e262a360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
259391c341831833aa77bd49c5c626e7

SHA1
031b8ed0992b99c3ca3df46efc08df9b89cc4070

SHA256
9738a8ad8a4e6755a7dd34674933f0d72b873314f1cda93ba220d8086a4fb43b

SHA512
944478aa77b1ef7a7688d633cee9eca4e84ebee421bf4910c7cd8fcae3e77d5dfa327016d1452d4253bf9a6957d8b525b8e7fd6caac289330225a66519958afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bb787ca22d1be892e0129d46077d138a

SHA1
0c4e2a8b835f4e518f7103cb611e79fe5356919d

SHA256
8c3b8224923fa2793e90678a3329e05afea7ec3e3ddc6bc7b25feb21de7612d4

SHA512
461497747a3db254aa8006935b0ab0751585d5e944b93fd821b77e24bd00eb20d9b26fe9b5fe0721b79b2aa90592b3e5aee16d18a61bf27961d4b668c78ebad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c8b79c8c956cdc967bde01673c3ac35

SHA1
32e809d6483b36b9157872d178f59563886ca484

SHA256
d17411a2828f85b9ad4dc1cc0af25e798bd05b529091cc67eec5138d3e8b2877

SHA512
23788dda033449c43fda611d7fee3b1dc15eeff48686c9168829f8e74de0856db9d556f851055fe386ad06805ef47c1b13df517bfc87b08f0c23ea67f2bdbeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5806c1.TMP

Filesize
1KB

MD5
c45ce92df721ae8cc62dcfb0333000f8

SHA1
862ada2d4605fb85a8df97d40a0762c292684460

SHA256
f631ae96f0686e7b730748d7b2e39a36b086ee2660e8c0ca3189679ebe984f15

SHA512
3dd2ae1290b76662b2e2f3e7aa7cb6410bc4365fccae60c90b1b20c74e10d00ae2f3dd85bb16a41706f98aec9fdfbc6e3d6e0fc26b9f1e76ed9c6a6036ebb15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e0edc20e1b8dd17cf303ddad108e6bf

SHA1
07c9bad97410cd2629ae67484e79b903d28fe685

SHA256
14550441fdafbcc0e2e0db637f892ab63bba800d2b194a49b24ecf56c0ceaa2c

SHA512
c4c3947534b89c9b93478e7f2e5909c1b91e748072d6773c28b6b09e7c9e83bfabb2512859dc6dd084a929a668a355b6b267eddf977fde070029ca59d7aa607e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b24dec2bc430df7e3fcc3e159f64510b

SHA1
ce8dc9b14e5a0e530396b5592dcd701042438cd1

SHA256
1cf860b0d4ef3ededeb725836e38480b0a700695b43b8c41fcb819ff3dd4ca47

SHA512
0b1e3d19be44078dcbeaa839de623bef735793d7e711600a795cbe8af7791ec18e29e481eafdd87a59a7ec7247a4b0cf9df9e0e25bc83d5127e12fc2cc57efec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aee9fe09c95b1117bca46840fabcc789

SHA1
92844312a7ae1d1ce60dd0c22e250dc58caac0b1

SHA256
8d84fa0f39d59489884d9336603a38123db1646b4e8cef2440e481a65faffaeb

SHA512
69615176a960c850e325f73cb211b9eeea6dc7bfb646459e0196fb252dd011010afd3f24ec001f331882268aaba6c65507c38ca074c5ff4961df4119675bf838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2b709a226f1fed20f57e89e62de5d77a

SHA1
a9b88347798d9c627b91cb96756641c514d97bf1

SHA256
3e53970e4c3bda1a157b9ab63136f9555522077111f45594521e4f1cdbd07da8

SHA512
d8ee4f218cf89f6cfb8ae501e45928a2beb75cc8b0a97b38d773baf31440a4cf4e40abb9798afe4cb747d9a63406967e8cc296a4a94d0b680e6093226cd68a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\df72a042-2eb3-4a17-aad7-4bbcb3f4b359.tmp

Filesize
11KB

MD5
00e8b23e74578361aec8507d56ad5188

SHA1
9f2c408844762f14eeb9c512939564e4ba6de2af

SHA256
8a290eb9ca94d92869bfe431d8aa80c4c14d286ee2cc7e3ebc1aaef71a102c8b

SHA512
a7d332b6021204fa984655e50eb6434af0a1ce72a591820c0f9e6db2780dfd2ff0de3ef5fd5f7e38602d17ca6935bf15c286ca98c3c2d9fe07f8909188f9d9b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
731e9e4becec0b1ef9caad4b3562d4b4

SHA1
6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457

SHA256
71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5

SHA512
841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b5a76a6e2bc78cd86d6849d94c682311

SHA1
cbbc7663b34e391cb96afee4e064efc3907b1bf3

SHA256
34aecb7edadd0e678423c974770637faf46332b378125e612a318c760d17ad37

SHA512
b946e1cccb3dc95bcb892c5fa302fb4d8f82a603a79bc317188fb9d7b2931301a1e62a55e041b59b9a22b3e9721505724b7add00166914f4989f0890fa5a0eee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
04dba2e0763acb9b83dcb94ca0f4c2bd

SHA1
626394aea6be984d4817a88a591fea246bf4a362

SHA256
6590267fae391a722c4b8c759c88d9e694daac163148aad7e69faebe045b75e5

SHA512
1f0dff8f0a7d51ba949d994a6194eeb6d376da60769c0ea99d13c39242327a6bb5d4241b890ff0d29b17e39243b4ba1d9aa00ca952c54bbf13ea2abd95d1eb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gynyxirx.su2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 612041.crdownload

Filesize
229KB

MD5
65536dc4bcafc3ee3c1dcf7ed64c12df

SHA1
e1ca248ae2ef47a6b89ad6fb155f4d5ec3674e9c

SHA256
98e7e144b7bc45bd52601d093b1e447cf486bf2e8cd2ba84e8325e2d7b269662

SHA512
25f5043750e42d312b879dcb1b37bc4621790f7402befa21578818c8de6020f1983a984bde79eeaca60b3cd12654fe2dae6e728826e0c4da3794be3519d3bcc2

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1916-298-0x00000257EA400000-0x00000257EA40A000-memory.dmp

Filesize
40KB

Download
memory/1916-262-0x00000257EA550000-0x00000257EA56E000-memory.dmp

Filesize
120KB

Download
memory/1916-260-0x00000257EA4F0000-0x00000257EA540000-memory.dmp

Filesize
320KB

Download
memory/1916-258-0x00000257EA470000-0x00000257EA4E6000-memory.dmp

Filesize
472KB

Download
memory/1916-220-0x00000257CFD40000-0x00000257CFD80000-memory.dmp

Filesize
256KB

Download
memory/1916-299-0x00000257EA430000-0x00000257EA442000-memory.dmp

Filesize
72KB

Download
memory/5184-230-0x000001897F420000-0x000001897F442000-memory.dmp

Filesize
136KB

Download
memory/5800-454-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-459-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-458-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-457-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-456-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-455-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-460-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-449-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-450-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download
memory/5800-448-0x000002BD720F0000-0x000002BD720F1000-memory.dmp

Filesize
4KB

Download