hxxps://drive[.]google[.]com/drive/folders/1W7NV1bn9E7-EdHzvoCaNQcbLY8blz3PE?usp=sharing

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1W7NV1bn9E7-EdHzvoCaNQcbLY8blz3PE?usp=sharing

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	install_flash_player_active_x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "9.0.124.0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe

Loads dropped DLL 14 IoCs

pid	Process
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
5548	install_flash_player_active_x.exe
2652	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
8	drive.google.com

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	install_flash_player_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	install_flash_player_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9f.exe	install_flash_player_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	install_flash_player_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	install_flash_player_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx	install_flash_player_active_x.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_active_x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil9f.exe"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_active_x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\	install_flash_player_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\ = "FlashBroker"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer\ = "FlashFactory.FlashFactory.1"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\Content Type = "application/x-shockwave-flash"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\FLAGS\ = "0"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\ProxyStubClsid32	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS\ = "0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\ = "{57A0E746-3863-4D20-A811-950C84F1DB9B}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.9"	install_flash_player_active_x.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3340	msedge.exe
3340	msedge.exe
4828	msedge.exe
4828	msedge.exe
3492	identity_helper.exe
3492	identity_helper.exe
5556	msedge.exe
5556	msedge.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
2652	installer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5548	install_flash_player_active_x.exe
2652	installer.exe
2652	installer.exe
2652	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 692	4828	msedge.exe	83
PID 4828 wrote to memory of 692	4828	msedge.exe	83
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3640	4828	msedge.exe	84
PID 4828 wrote to memory of 3340	4828	msedge.exe	85
PID 4828 wrote to memory of 3340	4828	msedge.exe	85
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86
PID 4828 wrote to memory of 324	4828	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1W7NV1bn9E7-EdHzvoCaNQcbLY8blz3PE?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa68646f8,0x7ffaa6864708,0x7ffaa6864718
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,13430382202064508126,8503821087867935849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4164

C:\Users\Admin\Downloads\thing-20250104T150344Z-001\thing\install_flash_player_active_x.exe
"C:\Users\Admin\Downloads\thing-20250104T150344Z-001\thing\install_flash_player_active_x.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Users\Admin\Downloads\thing-20250104T150344Z-001\thing\installer.exe
"C:\Users\Admin\Downloads\thing-20250104T150344Z-001\thing\installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6d071055-8472-4380-818e-070b5a90be65.tmp

Filesize
5KB

MD5
18c4a064352388d976187f929c593088

SHA1
89b3573309b8c713a6f01f68e208b5897703a97a

SHA256
845b5ac0cfb2e9a2d0a8b599d6548868ea47d8a671b8eec3257731646f6fd3d5

SHA512
a60e465fd123ae5e7fac44242f19d124605b5dfd60a498bd98b63c58dd4c947a110b84ed2b4e3a634dabd0659a142fe209c5f313688f9d33c50d599d5fb1e56c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6e6115af4fbedb3dec0b725eab09aee8

SHA1
91b538264a27dacc0e7884fa560fa9707636b1bb

SHA256
382aa9dfd44609f0501bdc1cc449892456fd696d4400f3b1ea1088c7108c9671

SHA512
6fe59801a1616c779a59485b8bf2a2460ccb0ad8115cd91703c7b9650e875dd6c6f512be8be9af9f91ec8385195cd0b899d22c4af28032996ac2778be4892aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fbea46526e7a23aa0665715c318a3ad2

SHA1
5200f81808fc4877fdbf22e1cf9740dff29861c1

SHA256
94a884a8ab21d5922c2a7b98a09899244e15e52e0fdee04cf0684f606d7e6973

SHA512
720d6816c2d3bc80ef93e703e1500f8fec32ee0c2f78ad8e06e2e48974b4a8ae45a1c9c99c8baa9e1e3023e5b174b486ef6b464d545401fbad3d029d877284cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7212851bcd526ba2689260663752e4f

SHA1
d64eb4ca71a471fdc02fd23c282b91d10ec635f4

SHA256
2d0807c215b83c83eccb4730efdc5a54c6c56b002c7bbe9ad6583e634707f88c

SHA512
3ab7e8a0f09b2c474daa70490a897e506fe1da7171a819f3d1a67d1a9afacf26465d41dc7271ce4df66f2a73995f37674e2d99eefc8481f77aeb8a12f82976f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08c7cc84a7f09f38f13017ef29965a55

SHA1
483f286f917391f9a14ffb68619ca7b869c71335

SHA256
c1127ffce8f2c1c66c39dfeffc481916cbd3338a4f69360323014f915c7695cd

SHA512
e9d42db2b1cfe515924f0ce9687fa29ce8a2c65b619508911a36e41dd2b95b575181c12d98a1c1e43f43fe305611f4b2417bea08fd58e7595687fce94dd262f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ddf616298bbe657849262633daab196

SHA1
34ebd0c85e883c01323da8401fbf8e93697e959a

SHA256
fe3769ca7381a62a00451ed38ee0b7eee5ed0de14c47713b681db954eb4c77a4

SHA512
c88d20c06e0a2b25719da654b3dfab75a780ab07404a352654d5b00ff686398c7024836f71b74efbcda731efd2c49b11fea289063cd111d161bfb6a9e47b8ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41ee4a780b2e60c5da6c0ad73464a8f0

SHA1
7946bb31372fad6e886a1c59902b0355b909597d

SHA256
ae0aacfb72ec2e75f20feb0b7c4cb315dfd3b017713112b6d46b705857173757

SHA512
408602e204916375412ccc43ad341f8578583f48a08a572550fecf7c067fdaf4a539952be0f8cf273e418942efb5a51741f959709b91a98274a856c3efa3a830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f88e08f82307512f1572499ec0adc2c9

SHA1
024d4aba387366f65bec34e774f66b6933553e3a

SHA256
dffcd53320e83253fc7276c8c97c754e9a0c1ac9f0c29e32e64f6a0e8c3597ef

SHA512
2c86f2508ceb9aa79cc1308ab85dc5914d991e2bc43f8e3c85da74db221e70eebff876de514c83a8203ea8868e419d24e8422eb9af93fdf8b8eae106f530c3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e8dfef20711e94646673ed9b54f3fed1

SHA1
89ab03eeaabac0e75729ec0bb6152a081b07e76c

SHA256
1c4731b22c21b6dd3f527ee50bd3b0e657fcf0e834bcfddbc4a740525b7c0a16

SHA512
9863328d396629f3e3fc94d78b7f92aea2276fe709466dadd3d40c20aa3d5ace01cd95dc52f09acd76bb96452947ba9ed66a198581c5e3de48e6bf28ec53bbc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580124.TMP

Filesize
1KB

MD5
67f64b5344c6a531e85c6a51a70b2410

SHA1
a0d29302019418940eb53010ddfcf0adc6a3c2fc

SHA256
9a44f537bb4132c2213f73552f5a062071cfa89a6f8b1c2762e41e2f5c08af11

SHA512
829a893b0962be2b197a31245ab65a67ecce4cf22593f523faaa735247978d7d51a2ca8a4c5a8d6f49fa5f6acfcf3154aa4561aebdc8f690d39154455ed4563e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc594c6f22cfeb787bb8d8f0a83ce5a9

SHA1
e2d06922be82d51ae824545888bc2086dd03feb2

SHA256
3556d5256881add119a6c4e96b941c60b3b94b5870b6e74159e1a90f6e4bd43c

SHA512
9209eef2f2f32513074006c4454c12900c1b744b4d7b75b4bdfe38d24224b7f0594847a1eb542bdc4ed0f8e3d46e43852c31b7c224f7257687f3807c5d7e669d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca10844b4d52b25a9f7df2aa22a657cd

SHA1
f10ef50ca749c140fa4b0459d71a44f5f1e7b8ba

SHA256
9ded3035c9341d36970927c9010fbba565387d0d77200256383616ac034e1c0d

SHA512
a7e54d97214f689e6e92d9ae618e6ba7d0a7ccd3724dad4c6500fcc99b0527a8dc6a0fe6bbca3dad996555914e627a020d02286ae326a894398078451397c5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77AD.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77AD.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77AD.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa77AD.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
C:\Users\Admin\Downloads\thing-20250104T150344Z-001.zip

Filesize
2.2MB

MD5
8aefb4089ab666cb92ff834d469f1f4d

SHA1
39c3410c78ad3c02b06005f91fd5a44b8002b50c

SHA256
492b72ee74733139e663319903d70c31ecda40ebaef01e726932ab369315d83b

SHA512
ee5d903aa9be18f5290b3d7824c1e585037095f3d945b694d262edcbf12da324f7bc0787c28c8cef636d32ef23c9a4ee94a7de5cd3a176ffcfea04af23eee35b

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\Flash9f.ocx

Filesize
2.9MB

MD5
48fdf435b8595604e54125b321924510

SHA1
e13d25bdac576e95e9134c3f95f0f8cbe94d6185

SHA256
7fcd80f7f56a841a4c5ef950afac8991da71ba9eae82f20db2954c7b4b72efd9

SHA512
86a59d83cc3d39b752b7a9c98e79b3f8fbcca66087926f026aabf5453bde83321928b77947e2aa5f625a53dafc89c0bf224daa7ce004b1851345abe93c6e83f3

Download Submit
memory/2652-331-0x0000000030000000-0x00000000303AF000-memory.dmp

Filesize
3.7MB

Download