lumma | hxxps://urlgoal[.]com/2zKKfe

Analysis

max time kernel
123s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://urlgoal.com/2zKKfe

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://rubyfalls.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

docsity bypass.exedocsity bypass.exedocsity bypass.exedocsity bypass.exedocsity bypass.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	docsity bypass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	docsity bypass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	docsity bypass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	docsity bypass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	docsity bypass.exe

Executes dropped EXE 9 IoCs

Processes:

docsity bypass.exeMinority.comdocsity bypass.exedocsity bypass.exedocsity bypass.exeMinority.comdocsity bypass.exeMinority.comMinority.com

pid	Process
540	docsity bypass.exe
2712	Minority.com
4472	docsity bypass.exe
4744	docsity bypass.exe
2680	docsity bypass.exe
2200	Minority.com
3096	docsity bypass.exe
2276	Minority.com
4804	Minority.com

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1696	tasklist.exe
468	tasklist.exe
2028	tasklist.exe
1696	tasklist.exe
4632	tasklist.exe
5024	tasklist.exe
3676	tasklist.exe
1228	tasklist.exe

Drops file in Windows directory 15 IoCs

Processes:

docsity bypass.exedocsity bypass.exedocsity bypass.exedocsity bypass.exedocsity bypass.exe

description	ioc	Process
File opened for modification	C:\Windows\RidingMarked	docsity bypass.exe
File opened for modification	C:\Windows\DrawsDebian	docsity bypass.exe
File opened for modification	C:\Windows\KillerArrived	docsity bypass.exe
File opened for modification	C:\Windows\DrawsDebian	docsity bypass.exe
File opened for modification	C:\Windows\RidingMarked	docsity bypass.exe
File opened for modification	C:\Windows\DrawsDebian	docsity bypass.exe
File opened for modification	C:\Windows\DrawsDebian	docsity bypass.exe
File opened for modification	C:\Windows\RidingMarked	docsity bypass.exe
File opened for modification	C:\Windows\KillerArrived	docsity bypass.exe
File opened for modification	C:\Windows\KillerArrived	docsity bypass.exe
File opened for modification	C:\Windows\RidingMarked	docsity bypass.exe
File opened for modification	C:\Windows\KillerArrived	docsity bypass.exe
File opened for modification	C:\Windows\DrawsDebian	docsity bypass.exe
File opened for modification	C:\Windows\KillerArrived	docsity bypass.exe
File opened for modification	C:\Windows\RidingMarked	docsity bypass.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exetasklist.execmd.exedocsity bypass.execmd.exeMinority.comcmd.exefindstr.exefindstr.exefindstr.execmd.exefindstr.exefindstr.exeMinority.comcmd.exedocsity bypass.exefindstr.exefindstr.exetasklist.execmd.exefindstr.execmd.exechoice.exedocsity bypass.exeMinority.comtasklist.exechoice.exedocsity bypass.execmd.exetasklist.execmd.exechoice.exetasklist.exetasklist.execmd.exetasklist.exedocsity bypass.exetasklist.execmd.exechoice.exeMinority.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docsity bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minority.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minority.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docsity bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docsity bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minority.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docsity bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	docsity bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minority.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeMinority.comMinority.comMinority.comMinority.com

pid	Process
2144	msedge.exe
2144	msedge.exe
2116	msedge.exe
2116	msedge.exe
5092	identity_helper.exe
5092	identity_helper.exe
4896	msedge.exe
4896	msedge.exe
2712	Minority.com
2712	Minority.com
2712	Minority.com
2712	Minority.com
2712	Minority.com
2712	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2276	Minority.com
2276	Minority.com
2276	Minority.com
2276	Minority.com
2276	Minority.com
2276	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7zG.exe7zG.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	Process
Token: SeRestorePrivilege	1228	7zG.exe
Token: 35	1228	7zG.exe
Token: SeSecurityPrivilege	1228	7zG.exe
Token: SeSecurityPrivilege	1228	7zG.exe
Token: SeRestorePrivilege	1880	7zG.exe
Token: 35	1880	7zG.exe
Token: SeSecurityPrivilege	1880	7zG.exe
Token: SeSecurityPrivilege	1880	7zG.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	4632	tasklist.exe
Token: SeDebugPrivilege	5024	tasklist.exe
Token: SeDebugPrivilege	3676	tasklist.exe
Token: SeDebugPrivilege	1228	tasklist.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeDebugPrivilege	468	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msedge.exe7zG.exe7zG.exeMinority.comMinority.comMinority.comMinority.com

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
1228	7zG.exe
1880	7zG.exe
2712	Minority.com
2712	Minority.com
2712	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2116	msedge.exe
2276	Minority.com
2276	Minority.com
2276	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

msedge.exeMinority.comMinority.comMinority.comMinority.com

pid	Process
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2712	Minority.com
2712	Minority.com
2712	Minority.com
2200	Minority.com
2200	Minority.com
2200	Minority.com
2276	Minority.com
2276	Minority.com
2276	Minority.com
4804	Minority.com
4804	Minority.com
4804	Minority.com

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid	Process
2168	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2116 wrote to memory of 436	2116	msedge.exe	83
PID 2116 wrote to memory of 436	2116	msedge.exe	83
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2788	2116	msedge.exe	84
PID 2116 wrote to memory of 2144	2116	msedge.exe	85
PID 2116 wrote to memory of 2144	2116	msedge.exe	85
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86
PID 2116 wrote to memory of 3212	2116	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://urlgoal.com/2zKKfe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff276546f8,0x7fff27654708,0x7fff27654718
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,10699366992165190310,509938178402889415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2248

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\docsity bypass\" -ad -an -ai#7zMap11369:88:7zEvent21277
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1228

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\" -ad -an -ai#7zMap21510:118:7zEvent25257
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1880

C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe
"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Casey Casey.cmd && Casey.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1124
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 831338
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Objects + ..\Object + ..\Pricing + ..\Una + ..\Blue + ..\Pray + ..\Mae B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\831338\Minority.com
    Minority.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2712
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540

C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe
"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Casey Casey.cmd && Casey.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4548
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 831338
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Objects + ..\Object + ..\Pricing + ..\Una + ..\Blue + ..\Pray + ..\Mae B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\831338\Minority.com
    Minority.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2200
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:916

C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe
"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Casey Casey.cmd && Casey.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe
"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Casey Casey.cmd && Casey.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 831338
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Objects + ..\Object + ..\Pricing + ..\Una + ..\Blue + ..\Pray + ..\Mae B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\831338\Minority.com
    Minority.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2276
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652

C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe
"C:\Users\Admin\Downloads\docsity bypass\docsity bypass\docsity bypass.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Casey Casey.cmd && Casey.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4132
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 831338
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Objects + ..\Object + ..\Pricing + ..\Una + ..\Blue + ..\Pray + ..\Mae B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\831338\Minority.com
    Minority.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4804
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
b1fcd90d1f863d52a850ed4d0387dc9f

SHA1
968098bb294515177dcf432881be123af3323c07

SHA256
9c50ec24c581b7e746cd575e05dc03a5c5a6b6afd400c301f1e4041e800ba54f

SHA512
0755a61d2f2dab9a7a91785548719611a67eebd05ce3201389e7d9f856f199d6be4ec8afd71977770bf816839addf30abc9f54e89fa17e0b67085b77b9a3a31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
620B

MD5
8f0ede6af615348deb7bcf84635acf39

SHA1
53213825d160c3236d2edd3764e9bf52440a4b56

SHA256
841da0f2513efcd46da974cb90a2821ac51f18df8f5bcc0c1fbeb74223ef920d

SHA512
35bb2b6be182caeb025e839d3ec578739ff6a5cb884eb5e05e3adfdb9b14ec0b15c98d7385fc782bd93fe2a576a9de890da39a312ce39f4d54f25fe469334078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb8bab1907062434a62b157534062bef

SHA1
eac3b89b0b951e420eca0f85543894cecff73b31

SHA256
c143eabf024299f845339afc619823c0d6a0d3b086972b6b1d9a8983c15d1106

SHA512
c2a56e27c51ede024cfc4bcdd923350eb53c7093c3a9c78a9cfbe47fbe1b8d3ef8b99df39bb3c9607a225d395fa27c361114ae25b108781d6d3e823e3598bba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc4816170b1de003bf782c3703768d1d

SHA1
8e856f3aae57431bbf36d36297c01280cbb61c93

SHA256
c8997fd48cb181174304d65123ce50e25956a3d2f00a48091e11258fe7d471d8

SHA512
c308eeb70a5324a7a5fe0c6ad89961c106b9fcbfdce841c0310067b7c942c7173061465a7339866eb22c7cd54a32b06d8d49f6bb5cdfaf5b34fc028c839f1d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b507127d6bacd22450a702e83d1ac42f

SHA1
7169b93cd9203d9b4fc434066481134433f261d3

SHA256
2ea674ab5e8ec40111223cb6143da7b48b721991810926446d61a3114d569702

SHA512
c105668801e9e3bb2e79c6070b6c685bbd96907bcbda08bb9adb06933143642b19667ef8f95417ab675f05725280fad519dbc605bcb246f0e2ab112f33876b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b61e3b536d1666cc775b476a9761a715

SHA1
4438f8a522090741bbe36f80394ceabbea76f1ab

SHA256
9cc9288d6c7c9476e2d84ef2c6f4f429ca27503f9d91e2769b2c04433e016248

SHA512
84b87cf55cfb25ab5a5fd61459f37496bb901d77bc7d734064437a4e59cd1167171b0a11b0bd5cc02dda9c1c8a16147a6d5b1c82ae2e78b6ad30d4ffcd86ff5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c62974ae1d24a953b76305279b5fc3ca

SHA1
81cdb30a8a0644137275e2448f71386d20d160ab

SHA256
4c2207d708033863b9fddc9dce269a4809a480821a5b9580cc71e295f9251c2f

SHA512
5ae5132da3208acf38e38c6a489d7c92a2c9f7105c6475db3667c169d10c8e3b4404f7d3800fb0645954b11a79b8f7eb8ba0dba7e7c73c977ec1c594e08edff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b40675c88b42c939f69d200b841d84f

SHA1
4c334d7ff8b95dd936b665139415277cc35dbc98

SHA256
cb5f47a65903efba703bf1a3f03f8bf425f4f3b67186705ecd772ce06a544443

SHA512
0c0942da44c095e0287ea0c5e8d7409444a45a1d2ea2adac14def8062828689beed5b846b2e3d172a33b5b0c45abb767c3df1298eb6d35ef2f9a33e46a73e44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1b72f86ff3d1e46d776c487a1b8ee9a6

SHA1
0e8406afc5f1a8f3888845ef5173d3f5d28955d2

SHA256
d7bf7fe4833203d8f5510a8809d50fd7f553b40badd903d9f00f0bbd7bbef2b1

SHA512
b3b3773f99a2dcd169679b287e7d31f576eb54713724c0eac5e02248bd31d480345c333a63d8fa5cb913d3f9214065e0b23461b33e8fd3c9b1c142f271b5de4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7aeeae5fb4cf3add8354f5b6c36c353f

SHA1
52757d36249873fc118b22dec341869d7ff44682

SHA256
5fe3f9615748e933b647e125229799371aed267a2e1d343d8062cd1e7d60a8ae

SHA512
3ca34ef375f1da2fe5cb275f8f33e1f7b4a47fef1e763a821fe87d60457e57870819abf47b471ac8bedb8620acb2429b47a480b2d1882ba3ffb75940246705b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\831338\B

Filesize
478KB

MD5
e2d50d9742d63d66bd21d41aa2e3e9a6

SHA1
1d0920896dc254566f52af00e5748862584a7fda

SHA256
e85c3fdbeff27901855105510a4b32e65d668d1badd55685d35385cc7851a1fa

SHA512
6a24a6099fbd4d212e1dc129d3772c72632c3db4e042931184be226dc5c880dca7c77a28653bda55ca3b1f2aa78c6cde4e6fb01b878042b16454272ecf794491

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blue

Filesize
84KB

MD5
ed4b130482b86b0d50d011594611d470

SHA1
23289b4672c2d5c05e85a8b6115656c5571c3e79

SHA256
e0d2e3a3e24e615fb76caf6702d364c703b864d8709f4d491c9ea57397132ae5

SHA512
f485cb3f424c069fade51393e15b94df0fb8168c2de65a617f1cac8c4487065576499bf11d18c22215278b68039c60e4939d41582b1b831c475a16d15501c548

Download Submit
C:\Users\Admin\AppData\Local\Temp\C

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Casey

Filesize
11KB

MD5
9042692819c7573dcbfd14e9edefc6a5

SHA1
813f4236c640d816698f16d7990ba76286765e94

SHA256
3084726c84c0b65fdbb67d837176df071ea2d8202c96a0f4cedb152be94e2e65

SHA512
e50543bcb8668974e22b9ad45865f7ac56732dbd46055eeced04e0a3a8d345a98083a1a68522ec9feb8e86453c90f87fb338908f7fb07887e7331213227691cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mae

Filesize
39KB

MD5
f09450da2bb8274d252d21c5628ca212

SHA1
2365ba3373568d2eee8f219bb4ee56485bdf76cb

SHA256
1cec80dba3958acbdcd90de63a5ab806c750161c28d1c331a992a7b14dbb849c

SHA512
704dbc23d1d7fb19b3e8fc68ded9ac991acc4484b941e0275acf139d4c24a24fb2efe37dca522dc58809c2bc4edd2cae852f9161fe36e132e1d1dd417d075afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mae

Filesize
31KB

MD5
b10dc870578ea55cd1c33fd7f3334c5c

SHA1
179430c30cfea252abf6e236d7ef31c5c141792d

SHA256
14f180be6c7cf017d9a38a40d4ff0051d21cf2bb433493fa3f68ab9cbd92aba3

SHA512
d9498c09c57cb3c3af48897c30b669b1eb398bc5effc00b6bd33e14d10aacefa31f5982b599700d8c633cb4395b5b9ee87bb4bd6a9de229b38eaa1c14bcb93af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Object

Filesize
72KB

MD5
ba6b8110dbc99c48c5ddc440d5b4478a

SHA1
83e7d89fb0ae98b15d62eb5bab360c64acf43f6b

SHA256
1ad9f678abbf883bfdd7a95b785e51c46a15b8df5bba26c8476c33eb052e36f6

SHA512
720241153cc1cb41c89eccad53756869e8bc22b6c1ba1788ca1f14c5517d02c7ffe201cbcc6c2c5226c0bc88154f2cefc037c093ddb184b4ba802f517cadb0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Objects

Filesize
61KB

MD5
47149fc9430ad773ac8e9906e2f5f2e3

SHA1
19e7da2dd9b3710567ca89f701a1c667f3847367

SHA256
5a461d0258fbd0f0a8a43369ec22c1655ab44b6a4603aca64ee4f116903852e5

SHA512
de5eb7ce4ada8983d2a510b22d887ea24a7568d059a906a915634e9e1f21c7a6682b318b4aef6fd470e44620b0dc42a510450fb26e392e882663e6581764850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pray

Filesize
90KB

MD5
d8862057b6e17cabeec87d8a14577e81

SHA1
1ddad5801b2b3a16f54b66ad80d69f3583b7a1ad

SHA256
7bd6d65666323c41813fda127664b974ede0b93d248e5d0d66e053e1ec9919b7

SHA512
6a64134316511a6ed232079cf1dc770ba3f140766c97ee107241a7e4f1eedfb4cc09e54967ae8d1f1561164453b9509c5c8350a82cfd84b15343448354a867b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pray

Filesize
79KB

MD5
cfbb3a2351942a14e8ca61e5c3cfe379

SHA1
114e2cf2222c42360edc0518535caee9b2a56000

SHA256
6e27b4ac246d21e60c19e7d0423610af2637feb742f8194da2d933ed4fb156ea

SHA512
b6f186464bcace545b4e85d18839d1b17c83e6c1765b5152b9f0ceaa067aa7e31e307f09fd0338f473de0ea9101254cee6fa43e1ecd436c8644bc51d673ec648

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pricing

Filesize
54KB

MD5
15346f7c9c19f84696c56f1c84aced6e

SHA1
4a8ac54a4ec28b0aeb382232ba178cfed8cb286b

SHA256
959b5ad9d1447737d619810136ea1aa62b355ab173fa9048f63fb2c2e10f930e

SHA512
3c3a91309d7dd983f3422790ea5a00e208b6cb3fc002118192e193d567e1b4b9b092aa9315b5ee87bab3ab7eceae37aaf7cf202977c4339bfed11aa2d31c3e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Una

Filesize
78KB

MD5
624063585f80878f5c61e4ba033a0c32

SHA1
57c4a4b1030eba29c1b4164e2241de70272ea5c2

SHA256
f498c055b2c50d44345ecd9c313396357091ecec57c952d381defb9660e55ab3

SHA512
3d63c24269fe1aa3ecdca7d9decb1b1faf9551f992dc1b6f3773d0bb2fcc6c4825cffd7a6223df7f3d39a50d140a97903ec49ad23c8d14d1a2e04dc98ee08f2e

Download Submit
C:\Users\Admin\Downloads\docsity bypass.7z

Filesize
4.5MB

MD5
774c1e2698a4c8e1c01451dd7c404ef3

SHA1
495a7e38adeeb9313c6f42f57a38e68e9953f0d7

SHA256
672b7694dc8b91bee487486a7a8741674ee82f375e0bbdbdfadbc074961873e9

SHA512
af00e40877597b2475c1ee53c821f5d0d43551610001b6f34751307e545fec090d6c63aa7e461072d130f34a9d7957d3f88dfd065b32c2389dc80ae393e5fcab

Download Submit
C:\Users\Admin\Downloads\docsity bypass\docsity bypass.7z

Filesize
4.4MB

MD5
dd54ff72ca5b67963ea32eb26f917787

SHA1
7b86c00bf3905728b82efac8b50046c45d9c1481

SHA256
b931f8096025e6f939e6f4f85dd6d50b40c5f54dbadb207cb6642a682c14495b

SHA512
13061c59e2ebc5858e29b0da6bc0de9ade47a896a665ba5be7a386cdefcaf8623bc0076fc11a4cdb9343497ea77f6d6fa29ad50ea094f2c56b38440999f510d3

Download Submit
\??\pipe\LOCAL\crashpad_2116_EGABTXGXDYLSJLLM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2712-496-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download
memory/2712-497-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download
memory/2712-498-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download
memory/2712-499-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download
memory/2712-495-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download
memory/2712-494-0x0000000004200000-0x000000000425B000-memory.dmp

Filesize
364KB

Download