lumma | hxxps://www[.]mediafire[.]com/folder/uml3a9raehtf2/des

Resubmissions

22/01/2025, 19:14

250122-xxxena1rhk 3

22/01/2025, 19:11

250122-xvyvps1jgt 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/uml3a9raehtf2/des

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

https://suggestyuoz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
4292	blisdodi.exe
3984	blisdodi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 3984	4292	blisdodi.exe	130

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2176	4292	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blisdodi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blisdodi.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "5"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000136e39709918db01144da989a418db014353e3b9016ddb0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "7"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000056d03b709918db01a91196d2a318db01c67798d2a318db0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
1252	msedge.exe
1252	msedge.exe
1972	identity_helper.exe
1972	identity_helper.exe
760	msedge.exe
760	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
4236	msedge.exe
1604	msedge.exe
1604	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1568	7zG.exe
Token: 35	1568	7zG.exe
Token: SeSecurityPrivilege	1568	7zG.exe
Token: SeSecurityPrivilege	1568	7zG.exe
Token: SeRestorePrivilege	4580	7zG.exe
Token: 35	4580	7zG.exe
Token: SeSecurityPrivilege	4580	7zG.exe
Token: SeSecurityPrivilege	4580	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe
1252	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1604	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2260	1252	msedge.exe	84
PID 1252 wrote to memory of 2260	1252	msedge.exe	84
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 2644	1252	msedge.exe	85
PID 1252 wrote to memory of 3144	1252	msedge.exe	86
PID 1252 wrote to memory of 3144	1252	msedge.exe	86
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87
PID 1252 wrote to memory of 1416	1252	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/uml3a9raehtf2/des
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdac5c46f8,0x7ffdac5c4708,0x7ffdac5c4718
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2080,8528773165276617068,9514127498409804102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1480

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\flipnodi\" -spe -an -ai#7zMap21185:78:7zEvent29784
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\flipnodi\foisoneo\" -spe -an -ai#7zMap11216:96:7zEvent13691
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Users\Admin\Downloads\flipnodi\foisoneo\blisdodi.exe
"C:\Users\Admin\Downloads\flipnodi\foisoneo\blisdodi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4292
- C:\Users\Admin\Downloads\flipnodi\foisoneo\blisdodi.exe
  "C:\Users\Admin\Downloads\flipnodi\foisoneo\blisdodi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 820
  2⤵
  - Program crash
  PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9fa672023a9bc320c878e519b83875da

SHA1
a3094be05b6550b08e24d0dfe70659eb3e8d6385

SHA256
12d7d346cce0e2e47ebea86c60e015949016124c8721272507aa2f1a94cbd254

SHA512
c68505dae778008b01f69124644cb17b38ac815f0b6804f5303d1a4cd34fb0df0e6aa8db81def2a97513822418a204c2a7217651f6ae4c6f63d15b7bcd4fe3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
27126ceb001a9b00b7dfaafb2bb7a827

SHA1
fc0cd270e7640b370640d41ee10e4ab29fd4e6d8

SHA256
a397e6294830e1bd8f4acbd5759439c7d63a57491bc68e112ca7a71dba2a2c73

SHA512
f32d24fcbf90145d2fdc3ccbc609565297f6f6f012e1be3261ffb1a3727bfbe3e35542e37f49525dfd6dd0ba995a9b6c2f0b79df1e55c58df41066ae60933ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ef4577b6948a8447c6e0359a442f78a2

SHA1
c74ddb5efed44eb56c2d2cb91d59a554e6599452

SHA256
bbf571f9264da0f4a5b9a24ff9f453a8c1da69472a99782cfa85a0efb895c382

SHA512
e2454c14606a49b7e08d4fa6500f59ce96b935af9c033308c50744d745b291f0ed02985dbc8b3a36e322c77e1aa54a699a3518ba44c55b09ddcb1fbe70faaef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a61886f926483f25fb7ad42379b10db1

SHA1
91a561066e090ee7eb1e0f7e5a2e05833e083011

SHA256
2afff9a25bcced556be30f6f83e7214aa8e5f0473a0c2476cc0e6a395fac5444

SHA512
52c7ec2e84465d0d9ce6a099ba9a632d619b3971724c629fdc12bc2601add5b33a0ff7f5ea7d6101260d5eaa83ceeea1a034af56dd0f350ed9afac66d8f99956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3014bc4436e42314824e1ad63b2368c3

SHA1
a4e198a51f37541e99c512eff88e0516d5d9213a

SHA256
9ca9c2f97eba26e64ea4956827185b9bb9ab04d0fa1e4f16b3b97996c15ef076

SHA512
80fda261df576703e9f71e8c88005fc8904e1f57c35306f3a452cfdcdb11bdbb14515b890614593308d11794755b60528c0f3696d3800091604db85f02300b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e1450b071d1ce420f0b5e536e1f6731

SHA1
f9f75adedfbf23748cc73b94257cfc8c2e39631e

SHA256
1071f16e9dffb8adafe02701a86095cdb518f017d0ab15bec0badc321e694443

SHA512
68e11d8735231019bba09c0d47386e4a5840564207e61aa72c9228ee9796c972f3092f042b40dc297fa7819819f34fee4b430b06548b10af5c83bf92e481875d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
802fe343541e1053612caef12e7aab48

SHA1
24d044bfc302d49f0d5919b03f3c558ac5cfcda2

SHA256
f323495f37a5870c3869e97084a36dca954399689f3ba89f2a4207bce44d56f4

SHA512
910b9f9f9317ffeb1edd5c59535b6d0fe20b6a8154e6562c39902ba32afce44341aa2470775e807ee2c29339fe7d9e51dc1f3f24a18a0e3db5c62c05aad6f0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c67ede1a9b3d8a7ee2b0185fd3fc0dfb

SHA1
ca499e57ad37e395ff0aedda00c83179403897b7

SHA256
a1da3dca4dc507f90da04234d5163ed66d2fd37f0644639d63eb3d01b2a47918

SHA512
67a0f94a169c61472d92c4497b847609ea542036da855e2ceb65012e34638ae075e93f0477cbe80910dfef25b2f55845b1fcbaaae3b863223e718690dbb111e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e89ac0669ead12e1972947970179d46f

SHA1
b47ace5630d113e6eea65fae94919bdb8c8602c0

SHA256
74bbde187f0ad75cd7997dbd89a38dab8ba3331d3bbf2c408cf34980cb0f5e5f

SHA512
a5cb8c1c7970f1187e50d1ae62349a178d1b02525a547d535927a99ff2a702297528423e6d7d2530c4aa464861d0088faca6b422c8a9f5571d57c8efe624d416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c5a8.TMP

Filesize
1KB

MD5
bdbb7f96ac8b8382ec732d06a2170f5b

SHA1
59932c9c4f12508a862fa23056c3850130a55f88

SHA256
ca3f3ab0f52d620eb4d2ad049bb7c470320a1d7450b1c664479aac6dc16cb94a

SHA512
5eb395c1828fb83d7884291fd513e18d48d7406bd1b3b64d5bbf5a3212fd6b74492f2e6345ae8328d6ee6fea689fd1bd1f07b284b1727e68f720bafbd63c4f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
578fb64b3eb582164739ce872a939aca

SHA1
7dc12b321dcf7efa8736b995ea91788cf80b94d4

SHA256
74a8b099154fbfb394034a0f0be118127732ac2674d8cc2ef41fbc1308fcead6

SHA512
ac94fc69625d3e9db2db514b1a1156e1ae634383518c4a1bf1ae42e51c3e04501d2be5382b63d98edb3b2fedf0e30945ccc6971c71c2627caeca3b13264f202f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09fcca715f51eb34503c05baeaeb6f55

SHA1
cd9ed2bdb85a1db05ba3400226fabde7114d5875

SHA256
0936761c14db0aa9227842aa5a04b47c42c8f34853f560c8112428f3a73c616a

SHA512
caab5f80453d2ef010fe250295359239f0a045f6da501735439c6933ea088c9f1d745f05ad462724586d7da66b1312e00a1d41be1f8209055fbd8f1223af05dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ba184e7a2b3e0a2db675cb6460e91c9a

SHA1
ca503d8329f2f0d691878d8bda7a04d27f030e8b

SHA256
a0248090468b71d6ec3809b0dfb3e57673ad3997bd8aae60a48b8f470a5b52e9

SHA512
318261aa9e205334f6f6415a472d119c7765dd11394158740edeceaff08e1cdb80980725e67a964aa7ab04486c316e798b99c90dcc5e8fcb35bda97f71a186fc

Download Submit
C:\Users\Admin\Downloads\flipnodi.zip

Filesize
31.4MB

MD5
915db88ad27e5b6d7b296344b2a28058

SHA1
b01be3f334563ff64f01397562a9c5b635be6e3c

SHA256
04b7a96cb89560c448ccf9776df23ebda9a320a2ca66f2afb87c12654e4ff542

SHA512
0026ed5f4587c3bf24f7f4b4c30454cb5f84b9e18820551e057914b44621fb3ad5291d7ca85cf2381e07aa231b91c86c088aac70541b657596cd5c4f5b27837c

Download Submit
C:\Users\Admin\Downloads\flipnodi\foisoneo.zip

Filesize
31.4MB

MD5
a24b06b9eaef35f83d66910b77e35307

SHA1
0ed2df92949cdde18da1224bfd8e444aac4123f8

SHA256
2cd3dc39f35e7e20a2e571d611c98b87a527dca752b92520776f6a4c9f36744d

SHA512
2e7156ae123cfe9889eab8d6c60472fd055beee5a6851354aad4d96fbe9867ab0597892d9f171efa54f4fb687d485b2c5a1215ac82320b77aa9a6b355fea4e30

Download Submit
C:\Users\Admin\Downloads\flipnodi\foisoneo\blisdodi.exe

Filesize
404KB

MD5
ee5e0d9ae052fc69bfd5af47f6be3376

SHA1
0b54ab66eaf524062454dc31a06b7450f6080a25

SHA256
7c1821f8b98f9de823687b651412f6ac35fad3c369dd8bff68e3d191e65c5e4c

SHA512
64b5f41667de5da5e6c24db4fa977cf310e2f3ff8e6354c5667f016af9a031b352300403fea79c302558e8e808ad48777f90b94b2302143c992ebe889ac734ce

Download Submit
C:\Users\Admin\Downloads\flipnodi\foisoneo\jres\doc\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
memory/3984-680-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3984-678-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4292-676-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/4292-675-0x0000000000360000-0x00000000003C8000-memory.dmp

Filesize
416KB

Download