hxxps://ify[.]ac/1Ic5

Resubmissions

14-07-2024 14:46

240714-r5ksyaxbqh 8

14-07-2024 14:43

240714-r3y8jsvckq 8

14-07-2024 14:37

240714-rznmmswhra 7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-07-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ify.ac/1Ic5

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	cd2mp3converter32.exe

Executes dropped EXE 2 IoCs

pid	Process
692	setup_j3VSqCVkA8.tmp
4136	cd2mp3converter32.exe

Loads dropped DLL 1 IoCs

pid	Process
692	setup_j3VSqCVkA8.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe

Program crash 39 IoCs

pid	pid_target	Process	procid_target
652	4136	WerFault.exe	88
4248	4136	WerFault.exe	88
3656	4136	WerFault.exe	88
1884	4136	WerFault.exe	88
2308	4136	WerFault.exe	88
1604	4136	WerFault.exe	88
5132	4136	WerFault.exe	88
5804	4136	WerFault.exe	88
5204	4136	WerFault.exe	88
5320	4136	WerFault.exe	88
4992	4136	WerFault.exe	88
5268	4136	WerFault.exe	88
5276	4136	WerFault.exe	88
6344	4136	WerFault.exe	88
5748	4136	WerFault.exe	88
6152	4136	WerFault.exe	88
6228	4136	WerFault.exe	88
6488	4136	WerFault.exe	88
6580	4136	WerFault.exe	88
6608	4136	WerFault.exe	88
6700	4136	WerFault.exe	88
6752	4136	WerFault.exe	88
6868	4136	WerFault.exe	88
32	4136	WerFault.exe	88
3852	4136	WerFault.exe	88
1384	4136	WerFault.exe	88
5864	4136	WerFault.exe	88
996	4136	WerFault.exe	88
6256	4136	WerFault.exe	88
4288	4136	WerFault.exe	88
5628	4136	WerFault.exe	88
2584	4136	WerFault.exe	88
5664	4136	WerFault.exe	88
5660	4136	WerFault.exe	88
5704	4136	WerFault.exe	88
5780	4136	WerFault.exe	88
6924	4136	WerFault.exe	88
6936	4136	WerFault.exe	88
6020	4136	WerFault.exe	88

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "1513"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\newassets.hcaptcha.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\hcaptcha.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\newassets.hcaptcha.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d86a3d5bfcd5da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "25"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "140"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "90"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7a795f90fcd5da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "105"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "172"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "427749802"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{165A63A8-0828-4F86-A539-BD60D1650E9 = "8320"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{165A63A8-0828-4F86-A539-BD60D1650E9 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c3ce157cfcd5da01c3ce157cfcd5da018bde667cfcd5da0185ce5c000000000001000000000000000000000000000000ad0314001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800b0003100000000000000000010004d6963726f736f66742e4d6963726f736f6674456467655f3877656b796233643862627765007c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e004d006900630072006f0073006f006600740045006400670065005f003800770065006b00790062003300640038006200620077006500000034005c0031000000000000000000100054656d70537461746500440009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000540065006d00700053007400610074006500000018005c00310000000000000000001000446f776e6c6f61647300440009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000044006f0077006e006c006f00610064007300000018007600320085ce5c00ee58b275200053455455505f7e312e5a495000005a0009000400efbeee58b275ee58b2752e0000000000000000000000000000000000000000000000000075493600730065007400750070005f006a003300560053007100430056006b00410038002e007a006900700000001c000000aa0000001c000000010000001c0000003400000000000000a900000018000000030000002f27336a1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e4d6963726f736f6674456467655f3877656b7962336438626277655c54656d7053746174655c446f776e6c6f6164735c73657475705f6a3356537143566b41382e7a6970000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000066637868746c686c000000000000000076c67ca85be9e04c9e12f9156c937223881f1f1386f2ee11abe2c2153342db4076c67ca85be9e04c9e12f9156c937223881f1f1386f2ee11abe2c2153342db40ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003100360030003400340037003000310039002d0031003200330032003600300033003100300036002d0034003100360038003700300037003200310032002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000000b36fd38000000000000d01200000000000000000000000000000000	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "589"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\hcaptcha.com\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "566"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "1513"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{165A63A8-0828-4F86-A539-BD60D1650E9	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "853"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4d3f5840fcd5da01	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_j3VSqCVkA8.zip.k5p06c6.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
692	setup_j3VSqCVkA8.tmp
692	setup_j3VSqCVkA8.tmp
4136	cd2mp3converter32.exe
4136	cd2mp3converter32.exe
4136	cd2mp3converter32.exe
4136	cd2mp3converter32.exe

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3364	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3364	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3364	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	596	MicrosoftEdge.exe
Token: SeDebugPrivilege	596	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
692	setup_j3VSqCVkA8.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
596	MicrosoftEdge.exe
4016	MicrosoftEdgeCP.exe
3364	MicrosoftEdgeCP.exe
4016	MicrosoftEdgeCP.exe
6400	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 4712	4016	MicrosoftEdgeCP.exe	77
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 5124 wrote to memory of 692	5124	setup_j3VSqCVkA8.exe	85
PID 5124 wrote to memory of 692	5124	setup_j3VSqCVkA8.exe	85
PID 5124 wrote to memory of 692	5124	setup_j3VSqCVkA8.exe	85
PID 692 wrote to memory of 4592	692	setup_j3VSqCVkA8.tmp	86
PID 692 wrote to memory of 4592	692	setup_j3VSqCVkA8.tmp	86
PID 692 wrote to memory of 4592	692	setup_j3VSqCVkA8.tmp	86
PID 692 wrote to memory of 4136	692	setup_j3VSqCVkA8.tmp	88
PID 692 wrote to memory of 4136	692	setup_j3VSqCVkA8.tmp	88
PID 692 wrote to memory of 4136	692	setup_j3VSqCVkA8.tmp	88
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 764	4016	MicrosoftEdgeCP.exe	78
PID 4016 wrote to memory of 6244	4016	MicrosoftEdgeCP.exe	108
PID 4016 wrote to memory of 6244	4016	MicrosoftEdgeCP.exe	108
PID 4016 wrote to memory of 6244	4016	MicrosoftEdgeCP.exe	108
PID 4016 wrote to memory of 6244	4016	MicrosoftEdgeCP.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://ify.ac/1Ic5"
1⤵
PID:2324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:2848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

C:\Users\Admin\Desktop\setup_j3VSqCVkA8.exe
"C:\Users\Admin\Desktop\setup_j3VSqCVkA8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5124
- C:\Users\Admin\AppData\Local\Temp\is-DNI45.tmp\setup_j3VSqCVkA8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DNI45.tmp\setup_j3VSqCVkA8.tmp" /SL5="$30444,5849669,56832,C:\Users\Admin\Desktop\setup_j3VSqCVkA8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7142"
    3⤵
    PID:4592
- - C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe
    "C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe" 6f9ba457637a93bb3d5833e7e36a09d5
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 812
      4⤵
      Program crash
      PID:652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 848
      4⤵
      Program crash
      PID:4248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 860
      4⤵
      Program crash
      PID:3656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 960
      4⤵
      Program crash
      PID:1884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 992
      4⤵
      Program crash
      PID:2308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 996
      4⤵
      Program crash
      PID:1604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1032
      4⤵
      Program crash
      PID:5132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 992
      4⤵
      Program crash
      PID:5804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1012
      4⤵
      Program crash
      PID:5204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 988
      4⤵
      Program crash
      PID:5320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1284
      4⤵
      Program crash
      PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1568
      4⤵
      Program crash
      PID:5268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1596
      4⤵
      Program crash
      PID:5276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1644
      4⤵
      Program crash
      PID:6344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1772
      4⤵
      Program crash
      PID:5748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1972
      4⤵
      Program crash
      PID:6152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2060
      4⤵
      Program crash
      PID:6228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2056
      4⤵
      Program crash
      PID:6488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1820
      4⤵
      Program crash
      PID:6580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1004
      4⤵
      Program crash
      PID:6608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1980
      4⤵
      Program crash
      PID:6700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1836
      4⤵
      Program crash
      PID:6752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1844
      4⤵
      Program crash
      PID:6868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2140
      4⤵
      Program crash
      PID:32
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2184
      4⤵
      Program crash
      PID:3852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2268
      4⤵
      Program crash
      PID:1384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2080
      4⤵
      Program crash
      PID:5864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2200
      4⤵
      Program crash
      PID:996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2344
      4⤵
      Program crash
      PID:6256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2392
      4⤵
      Program crash
      PID:4288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2512
      4⤵
      Program crash
      PID:5628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2436
      4⤵
      Program crash
      PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2596
      4⤵
      Program crash
      PID:5664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2624
      4⤵
      Program crash
      PID:5660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2656
      4⤵
      Program crash
      PID:5704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2748
      4⤵
      Program crash
      PID:5780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2688
      4⤵
      Program crash
      PID:6924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2600
      4⤵
      Program crash
      PID:6936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2624
      4⤵
      Program crash
      PID:6020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe

Filesize
4.9MB

MD5
0fe58677998932ece058f23fdf28dae7

SHA1
6d0f9640026143a5d128eb021361ca163ce5c3f3

SHA256
6071e75c7cce7ec1900d93ff08a1e3103bc5f42a72e7dc04fe8cb055d2b71cb1

SHA512
5bed3f6678a54ab1933f24c45eac6c00187f4dc65553d5e04614a448c1c35631057037029d712db2aac2c2b280e96cc491a5e4afd9512311aceb9df0e110b831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\QR5Eh00-DY-sP8PcJ5iIzhz00opxPFI30kmgY8y9GnU[1].js

Filesize
17KB

MD5
142ad35a28d4cfa91655c971bdcc8c21

SHA1
a2ebf958fffaf5dae9855080c6687e0127f51cc3

SHA256
411e44874d3e0d8fac3fc3dc279888ce1cf4d28a713c5237d249a063ccbd1a75

SHA512
a1591f1b237541df648ace2fa8b22712fa2e930977004818ee20ea05757fc8bd54febb344dcdce6354ae9d6b7fc2f8d7eada88c05593cca56c3d85996ea0b089

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\api[1].js

Filesize
870B

MD5
a93f07188bee2920004c4937da275d25

SHA1
901cfea09bc88d26a55cf2c57ccdaf45dfaea95a

SHA256
587d5394ddb17dec6f39de2e973431f161a1e08a45d499fe7c7a6333a93904cd

SHA512
16855a943a768355129e31623e5eb7064741d4d07ac2c0fcd21c5742a1b2e2a2c3af38e0f481bd7b8006dc96c408be07b91bbbe28ce7c4f7f0f7d53e427500c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\hcaptcha[1].js

Filesize
380KB

MD5
e5f6f819663927b1cb8f28843f35aa64

SHA1
e171ae6690d1752ab28414444d623181ff808593

SHA256
c2aee5e4e7e4c0b6e15d4645e62ac949441031c1c966451f988885a43c13b099

SHA512
8e48046e21a08ae5ff5728906e7dba45f04cb9ffdccbadbc010bca68f89779dc9800f835793048d328639ca66fca620e76c41d03371e9419f910cce4c1975466

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap-icons.min[1].css

Filesize
68KB

MD5
e8f9bf6bffd8e881edf8d6880608421f

SHA1
7712bcd53b975e0ec26af2af51c2098ff5bd25d8

SHA256
ee16c135f599c64d3ae35ed65466b5ae1f91d2bac858f8701b76213565a0e664

SHA512
633c0680574ed4d430d426643e81b2464127513c4f49b1965ef1a25eb5a4f08792a9dc9c8b47440d874b2e3331ab5cc2a14d1005ae241c016246150bdf3d9ba3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap.min[1].css

Filesize
188KB

MD5
6d9c6fda1e7087224431cc8068bb998f

SHA1
6273ac1a23d79a122f022f6a87c5b75c2cfafc3a

SHA256
fb1763b59f9f5764294b5af9fa5250835ae608282fe6f2f2213a5952aacf1fbf

SHA512
a3f321a113d52c4c71663085541b26d7b3e4ced9339a1ec3a7c93bff726bb4d087874010e3cf64c297c0ddd3d21f32837bc602b848715eadd8ef579bfe8e9a9a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\recaptcha__en[1].js

Filesize
533KB

MD5
93e3f7248853ea26232278a54613f93c

SHA1
16100c397972a415bfcfce1a470acad68c173375

SHA256
0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a

SHA512
26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\webworker[1].js

Filesize
102B

MD5
f66834120faccb628f46eb0fc62f644c

SHA1
15406e8ea9c7c2e6ef5c775be244fe166933bfcb

SHA256
8f063ae681a530a407ea4d17859790d9e45fd81ce5b3bb6202fc9e30cef95996

SHA512
7c596e61967fe787bc29d262c945d7eb4e02f9f574d3c8c664f333c9c3b4dd4aff1dfcde8f34be1acfaf8c05423c1c118a4bfd50684a7cd9f90e5f40fbc89653

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\D9LUX718\ify[1].xml

Filesize
258B

MD5
7722a25b8a2a9a9ccaa5bff056af92bc

SHA1
e47a033df91caa5a9c56e5958aba616613223658

SHA256
4d2b2ad12cc8dacc6add8d0e0fcd50782f7ce3502154a30bfc091ca9a2c36e74

SHA512
710021700082effba03277e35b1f005240528dffce00b6efcddb7ee51ff056772d9d49f6a0a47d14a0beafd0999a6e78df9c78f3dcacca6fd7c4c42ee5bfd350

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\D9LUX718\ify[1].xml

Filesize
1KB

MD5
e491e238bbaf50b2c5aba876a187b6e3

SHA1
b42f758206c0021a17811878e8131239112dd3b5

SHA256
799ff07e47e973186149206dff553e799070c163cb6b54a456e06c5832293602

SHA512
29dfd07b009470594008e1c9da2895c7095a219c5131b522840eff7a7fd10ade804304555f6d32d5f6a38e58f717f02f9dc0aefe00b1dfffbd32235c7b1a13b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\D9LUX718\ify[1].xml

Filesize
1KB

MD5
809a7337242c042d66f2cee5af003041

SHA1
18c1a3f865a2d49570fdb149d941b39f729b8d30

SHA256
34e14c81768032aa0847584935e47102b5a18b3bc352b297ca2db94a4f8f9c0b

SHA512
0f0f4855c88dd4e55aba937b74dc76e80913438d90dad6e2a7fc6ddf5cfcb77e89210c0cd7e98ec75bde35e687d564df9c8a67caeb39acf89076483a869f8c33

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WH1UEVJ1\www.google[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WH1UEVJ1\www.google[1].xml

Filesize
99B

MD5
6df6d7cfbb07632a5495b57ea53977e6

SHA1
e402ea6c39b8cf26555bb3ea7dc9a43d978ef61a

SHA256
1954b1c8b0ca057980b845422df92ad51056f1a1e1af508af8094c1d3b5e7dbe

SHA512
7bb79a74e8d67a1f57b1e87d106314ff39b7a258165a6921cf358c5b5c96e217d9b20483f5629946327a9ce45421fa2515b9ca6397ee79cfb4bb0d71e9705a43

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\favicon[1].ico

Filesize
14KB

MD5
de5a68ecf1315791471000eea42de65d

SHA1
3f3e7239d7ec1702868f51e9d28e528c6c60e984

SHA256
fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f

SHA512
0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\website_icon[1].svg

Filesize
1KB

MD5
02f7553e1ac3129cd1c4d0442b5a0f81

SHA1
0dd8634450681fe1a2d0c1e5b02d6d0954e2772d

SHA256
0019255c610cb0843c524d7995905fa5201651fcc393846bee8414f0610097f5

SHA512
ac141a5648a3a22ceb295de8ecc6823f53d2a453316cd591dde888715344a60694316e1b85a5ceec72af62e34cc3d01768b020e5dfd5e0cb9916ec975ba4318e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\favicon-32x32[1].png

Filesize
1KB

MD5
16a75c7824b5223b8e22864354e9e33f

SHA1
2c35e76ebe2d8002369d582b32bd70374552c574

SHA256
7f3e38478d53875c1f35d67fc035067274bacf9df8285889ad04fb143dfdddd8

SHA512
bd09744894646081e02b9e730c68c82354e3907c419578bdcb45d52c99d909d78ee084c8948b99d14ac6c8dfb343c9eb9197af039c5ac99d356440efd10a4ee8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_j3VSqCVkA8.zip.k5p06c6.partial

Filesize
5.8MB

MD5
94cff48c8e606b22bfd6cc30f174af0a

SHA1
04bed05360ff23ae5ad81a85d01848bc43700320

SHA256
797388229cdf6420f130c5e1bd939508c15ee1cc6ebaa742b0fd9826cc88685e

SHA512
1d5d6037651d7eae4f9d88ccf1ac455d3af554629ec9dbb3dca63e33548be1756837e07b3b2e3c0286c50524a75c74e8ad13d5184757eb2cb594a5f325ec9994

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\setup_j3VSqCVkA8[1].zip

Filesize
247KB

MD5
a6329f7c8e4dc961446f31e4dd957289

SHA1
5a4e3f6becad099be824fd41a6e7453953561f09

SHA256
1a2cef102d47e54f30ffb5d9f706a9d03f2a290e6968f1b3377dff53daf125bd

SHA512
b619420e07d0f1b762e8b1632832aead4fa696a4a53a1ef642abed557a126834e8facc74f58043e8d92e861b83832b56a0d1a16e6e30440b3f6792597f0f7e6e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
b3a70a62a29f889a9ae00b9e59453e15

SHA1
a14c5c4c12062776f5c8038122dc66affd7d7e23

SHA256
fe8f7b54b8f4f8e6589112ac86ff4b9ccf51dd3262cbaa5b51198f308488e89d

SHA512
43c1ccb1e9f4d841c5e90f5e18392de88db84e13f2eee41709dbf8ff6dd06796563c6a8099240f67cffa24273828fa6fed0999f90ba166daf293a1ed4d3e57fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

Filesize
471B

MD5
7a81932376e06ffaa8100e935547280b

SHA1
fa41d8ae7a06c72cfd54429de5979cd05e9fb25b

SHA256
29e4d7ee928e310c74f8f085345b85ea973bfa3fa2ed18037e0c8d016bbcdbe0

SHA512
c223f606f1c3f261b6ec7670298a9bdd342975d4c6f33b1ff24ae7dfc4e13d8d7ae6f4ae669e64f6fd3b92b428c8b896896647419b9548926f12e9ed9f99ac0c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
d09bb82c74d0fb32aba71df5e9ba5ee7

SHA1
552a9c7372d58a8c1d814ed8b28dc35064fca8c6

SHA256
14ec891c8bba752c95f1461143d0d562a1e74ce699ad049b90f39ebd54aefa20

SHA512
543635f51946618e0a527a7b6529da6d55841331ee422af6de10eb8940bbfe9004d8a434ebe24d6586f2050818a1640a69f30a1f77afd1560fac83c197b0e878

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
bd837d42b194a718705ad5d96a84f5a0

SHA1
e74263a2bdf2d35bf7a5e4564c534fc6cba73a26

SHA256
f1d33f5eddd1aee2b9ea023418d8a494bb755596890e4cbbce12f88b705fa746

SHA512
71b648cf8139770a80a9565044e25d61d84e606a7f4b0b59835770ca01008636c6b8f4e439240df1f3a8584b9787e2ce4a95a0a91ea9673a97198ef3314f9170

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
42585c2505aa72c322cdb16a60db87f8

SHA1
6b6cea90231917dcb0a03b7ff516a161ba838ae4

SHA256
41b108ccafbaca776d963259161a01ea92a6146a8d4339a32d8dff1b976f6aaf

SHA512
e3645e1fb144b08dd5158bb52aa7b9645692e2cc7eec1b5bfbf6f30c2c1944678253b6828867478ae09b7e82cf345f965c63246888bd2756d5fb9ede85c4a967

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
5e5196674bbc439c307857d67906d945

SHA1
3edffd19faec8be69de25e7bd8401ced69f0d9af

SHA256
6fdba712bf30073ec07416f6ac6a64fbc214d57c4f242d6878176e8fbc407266

SHA512
a8f77da79b3ecb695f1ca06f673461a91c6a9d48107be40bd62b688896b350aec1ef8b6f1364aa25d3542099d196cab9c6edc31d9350082a9139c1f3f86f7ab0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

Filesize
402B

MD5
5721266bb439e3825a5bfd7aa10d8fe8

SHA1
d00b788b781499b8f2c345861a4332bfeffc74a5

SHA256
9f38c3b978534b97525c7746c788256dbc1cf81408d992970d0f77a5723602e9

SHA512
7eb1ad84c206764d6d609408d396b6572b791d5dd3ed3a2a94428764a82b3c4fb071062405ac4d952d37cd6851b43842782831deb0c6df9efcc87ed79bee15a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DNI45.tmp\setup_j3VSqCVkA8.tmp

Filesize
694KB

MD5
e1c26c323dd52cd731320cafc0d2bd89

SHA1
6d4b246cf638917954050b0b54af8912fc8458a2

SHA256
2b59a5d1e0719242d3049602b0be47f55460f256991b35c130bc2ad7563d435b

SHA512
b61122c6c73c03af13bf016d3ef98ef51f2e26f99285cb6cb6d23bb24288b5978275bbf8d5d0620e1e79dda0dc1a852599de79dfb1f0a79b960083118a311943

Download Submit
\Users\Admin\AppData\Local\Temp\is-R627H.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/596-218-0x0000014562A30000-0x0000014562A31000-memory.dmp

Filesize
4KB

Download
memory/596-16-0x000001455BB20000-0x000001455BB30000-memory.dmp

Filesize
64KB

Download
memory/596-1-0x000001455BA30000-0x000001455BA40000-memory.dmp

Filesize
64KB

Download
memory/596-217-0x0000014562A20000-0x0000014562A21000-memory.dmp

Filesize
4KB

Download
memory/596-35-0x0000014558F40000-0x0000014558F42000-memory.dmp

Filesize
8KB

Download
memory/764-364-0x000002A2B5260000-0x000002A2B5360000-memory.dmp

Filesize
1024KB

Download
memory/764-362-0x000002A2B5260000-0x000002A2B5360000-memory.dmp

Filesize
1024KB

Download
memory/764-348-0x000002A2B4FE0000-0x000002A2B50E0000-memory.dmp

Filesize
1024KB

Download
memory/764-346-0x000002A2A4510000-0x000002A2A4610000-memory.dmp

Filesize
1024KB

Download
memory/764-310-0x000002A2A3D00000-0x000002A2A3E00000-memory.dmp

Filesize
1024KB

Download
memory/764-309-0x000002A2A3D00000-0x000002A2A3E00000-memory.dmp

Filesize
1024KB

Download
memory/764-376-0x000002A2A4510000-0x000002A2A4610000-memory.dmp

Filesize
1024KB

Download
memory/764-383-0x000002A2B5DD0000-0x000002A2B5ED0000-memory.dmp

Filesize
1024KB

Download
memory/764-380-0x000002A2B5C70000-0x000002A2B5D70000-memory.dmp

Filesize
1024KB

Download
memory/764-377-0x000002A2A3D00000-0x000002A2A3E00000-memory.dmp

Filesize
1024KB

Download
memory/3364-45-0x0000022224780000-0x0000022224880000-memory.dmp

Filesize
1024KB

Download
memory/4136-4064-0x0000000000400000-0x0000000000CDC000-memory.dmp

Filesize
8.9MB

Download
memory/4712-123-0x00000135C3FF0000-0x00000135C3FF2000-memory.dmp

Filesize
8KB

Download
memory/4712-119-0x00000135C3E20000-0x00000135C3E22000-memory.dmp

Filesize
8KB

Download
memory/4712-115-0x00000135C36E0000-0x00000135C36E2000-memory.dmp

Filesize
8KB

Download
memory/4712-64-0x00000135B2BD0000-0x00000135B2BD2000-memory.dmp

Filesize
8KB

Download
memory/4712-66-0x00000135B2BF0000-0x00000135B2BF2000-memory.dmp

Filesize
8KB

Download
memory/4712-68-0x00000135B2E50000-0x00000135B2E52000-memory.dmp

Filesize
8KB

Download
memory/4712-60-0x00000135B3110000-0x00000135B3210000-memory.dmp

Filesize
1024KB

Download
memory/4712-59-0x00000135B3110000-0x00000135B3210000-memory.dmp

Filesize
1024KB

Download
memory/4712-117-0x00000135C3E00000-0x00000135C3E02000-memory.dmp

Filesize
8KB

Download
memory/4712-61-0x00000135B3110000-0x00000135B3210000-memory.dmp

Filesize
1024KB

Download
memory/4712-121-0x00000135C3E40000-0x00000135C3E42000-memory.dmp

Filesize
8KB

Download
memory/4712-294-0x00000135C3370000-0x00000135C3372000-memory.dmp

Filesize
8KB

Download
memory/4712-292-0x00000135C3360000-0x00000135C3362000-memory.dmp

Filesize
8KB

Download