hxxps://ify[.]ac/1Ic5

Resubmissions

14/07/2024, 14:46

240714-r5ksyaxbqh 8

14/07/2024, 14:43

240714-r3y8jsvckq 8

14/07/2024, 14:37

240714-rznmmswhra 7

Analysis

max time kernel
264s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ify.ac/1Ic5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1428	setup_JfkqQN8zu6.tmp
4852	cd2mp3converter32.exe

Loads dropped DLL 1 IoCs

pid	Process
1428	setup_JfkqQN8zu6.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1360	4852	WerFault.exe	125
1612	4852	WerFault.exe	125
4152	4852	WerFault.exe	125
4672	4852	WerFault.exe	125
400	4852	WerFault.exe	125
4424	4852	WerFault.exe	125
4988	4852	WerFault.exe	125
2840	4852	WerFault.exe	125
4984	4852	WerFault.exe	125
3260	4852	WerFault.exe	125
1604	4852	WerFault.exe	125

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
4752	msedge.exe
4752	msedge.exe
1852	identity_helper.exe
1852	identity_helper.exe
4116	msedge.exe
4116	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
1428	setup_JfkqQN8zu6.tmp
1428	setup_JfkqQN8zu6.tmp
4852	cd2mp3converter32.exe
4852	cd2mp3converter32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
1428	setup_JfkqQN8zu6.tmp

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4412	4752	msedge.exe	83
PID 4752 wrote to memory of 4412	4752	msedge.exe	83
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 2776	4752	msedge.exe	85
PID 4752 wrote to memory of 4452	4752	msedge.exe	86
PID 4752 wrote to memory of 4452	4752	msedge.exe	86
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87
PID 4752 wrote to memory of 3356	4752	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7a2646f8,0x7ffd7a264708,0x7ffd7a264718
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6616 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,17666153394449454539,10008845066645364532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3648

C:\Users\Admin\Desktop\setup_JfkqQN8zu6.exe
"C:\Users\Admin\Desktop\setup_JfkqQN8zu6.exe"
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\is-53BHE.tmp\setup_JfkqQN8zu6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-53BHE.tmp\setup_JfkqQN8zu6.tmp" /SL5="$502B6,6021466,56832,C:\Users\Admin\Desktop\setup_JfkqQN8zu6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1428
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7142"
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe
    "C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe" 0f45e3374dae9e88103c695ee79e28be
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 880
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 892
      4⤵
      Program crash
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 956
      4⤵
      Program crash
      PID:4152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1088
      4⤵
      Program crash
      PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1080
      4⤵
      Program crash
      PID:400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1104
      4⤵
      Program crash
      PID:4424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1136
      4⤵
      Program crash
      PID:4988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1172
      4⤵
      Program crash
      PID:2840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1144
      4⤵
      Program crash
      PID:4984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 996
      4⤵
      Program crash
      PID:3260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 944
      4⤵
      Program crash
      PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4852 -ip 4852
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4852 -ip 4852
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4852 -ip 4852
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4852 -ip 4852
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4852 -ip 4852
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4852 -ip 4852
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4852 -ip 4852
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4852 -ip 4852
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4852 -ip 4852
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4852 -ip 4852
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4852 -ip 4852
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32.exe

Filesize
5.0MB

MD5
566a453849e6f66556016d4387d72a82

SHA1
fa8cd416b078d88df80f94bfcd03c10d20dcb54b

SHA256
bdfeb8322f124276bc176463477379a1c1feb2199e5cf972f171cccf9a0e28f2

SHA512
6d59527a6cc28e80864314ee86a69787c132195a9d395371d574465392c9f4c2ef48136c1745c9194e1e72ae4d71590871ca6b465c1fdf1acc9484ce056e1356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
37a827fe0435ac67a086cd6ced42e5aa

SHA1
9ff482ce9b4c4c3e16cb5547d341d3fde28b3f0f

SHA256
83c12aef6d7fa078257f51fac20e6e948cde9863f0e595de673e9d5863924dd6

SHA512
eeac82cde7e12f4b6e319985bffa84c02fa0e8385224d2c8ab7e7a074a4c7df679f2b5039b43b3bf30b923beaff1e42c89b97263f81a49fba9a5405018a0175a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
8873c3d878b3a0e98d1ffa62a2196974

SHA1
7bf70e3cabc7dc31317dd50350d82ace71b5e6fe

SHA256
86eca60dbe1c06e03e2a97feca4d3304c0c36c0245184d4700d883c6ae6344fb

SHA512
3c3d8b469a38fdbf1706af1d0603e7be556df0b4b39efa6b1b6d8316daaafa5ee8786957aeab52882d1960e5407518826cec05bcb10729280f2cfcb198ccddad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0584881eed81f1c79eb543488a6abd4b

SHA1
a8c4a1ff7984ad408099b605e9b03ce1f3d5524c

SHA256
b7ea1c9309abe00823e0b825fa2a593b2c0441779586c57fbfab6852f1ecccb9

SHA512
91ce1957e04c0c5262d8af4b0f2c6ed36ad5572abe5a1b36b2b12de18735687b0e05df178b4626924a54ead33abe6bfe147e7b54b8740c8a2b52a6ae54d54f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
84df375fc0472c5efc3a58a8ef30686c

SHA1
ae811ed82bdce92e7fab761537e025da7699572e

SHA256
492e59fb69c5cf159bd3e523b0f2f75882f4d259fecb57122d44641953b3c6f4

SHA512
91d4c139207ed2660da62c1b063f145ab3284196e6beceb9fa0f3d97f24394aa327491c6953fd18e737456ea7773366a3db8963711eb31558cb89800203f37ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8a5c6e12b149f199a80387f8271c11ef

SHA1
aa871b8291ff21df1a5eea289e04fec88a8221a5

SHA256
344e6086afc7e39d9fee3285f10efac37452ffac911488e7892e1eeb61859051

SHA512
2387fbd01d1fcc0ba54de709f48b347cb8e9dfdc1ba634e9bdbd12c404015213318cd95c3991ad8c3b621a86d9bbb633c1dcb9abe2b58cf628b4e01a2a58e3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
396fb7d3151f311ef1237d40f1366a88

SHA1
804b193f9c3c6434c480a0d1c9382238eb6fde79

SHA256
ed81f6ec0fbab8a7888819d729892dd0605c1751d1192c7c89a986ead26d60cf

SHA512
52ed662551399eee74ffaccd2bf17f0b936d0228ccc8af8cdee674c51f737360f0f32d3b06523d9dc78f549b9f795339df1c3a7d3f5d1a247e826d6aeeeffb3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
46deb0db18ff942b29f0894bd335d70c

SHA1
f09006fabd494ebb858e1a3308e73883e0a142f9

SHA256
077e3c619393356b18471cea29cc3b68019558de45d5821d6d96dba43c4975f2

SHA512
a33bc23aaf8f242f99b034cfbd1390b2cf3dad4f4436a2f1521eb99249927fe99427708dcf71ced313d631d00b1f322afb88837366d4abadc3af11c750496acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
481e9bf3bceeea649216d387ced0bd8a

SHA1
0bbe089c8f48859b7bb968ebad1230d44030e027

SHA256
00f9e98975ee512bc210f8d2ee321db0c081ae5f4b81768fd6294ffb1d9633b5

SHA512
3e32e596bf082d27c445550f92206d22832ecff5427270327ba2ee843ec21a86675efa528d6c3313759dbb060083961b1def555f5286943b06abd6799b867273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c6ccd0ae34b82afa412585b3e03708c8

SHA1
fa2acba1f35f829607a81172c4e18bcaaea8c57c

SHA256
3ef24a3e1b828ee93fc2235570438b41e123e247592bfc15c3de4aa8d0924d76

SHA512
620dea377b1440d945f63a27ce9829434f7469e6e3ecf3df13523892b28e76b8e8d209aae9f9227289b6725a7b88d6db04ee8bd2c1107bf70373bab460ad2998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e39d74965b31be870673914fb22905ee

SHA1
8ecdad9058cbe98ec91b812125df2aa332d463ec

SHA256
66e9f28d096d8aa0093e2996eecab5d42a568b42956720c2337ad2096b2ad332

SHA512
1a21b93a465c337789d04b9b27d5be71df7ac51088a7656fba0802538c7096c05cab445b609f2a563e6dfa06d19e40f6bb61b6f161b939d294c779febb99bfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3bc1ed7c7f4b63c8f735d2d8f30a0fe5

SHA1
cdfd3479413f5e32bffcdec47f19ec150bb34e3f

SHA256
7c5c93c826f091f6124736a965510cb45ce87d1c2ff8fa614dd9f11ae2bb7844

SHA512
d76f3c0dcbb3b26ceed98bc454a45393dcf019f420d6ed8a294b4192ee8cb66960e965fe73ff68131d61b6a983979b1311e56e5388c4057ac4bfcfa1526ea6f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54c3bcc374d0932365eb867e141f64cd

SHA1
2a54b6842cb688a51aeb1dfad6f4a624d85b109e

SHA256
ad711d701e3735eb4567075acb4ba90d6c7e442cea88c158c38429e296a55b59

SHA512
354af3cf1d40176c26923e15fa7dc75f08ac463280520c0643daf4b1e312731d38ef5b42302c300c19efd86bc991ccbb12290ed68a9bb962ed7ef5e386e243a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f9877cb7fbf6217cb7af57c2418b8a18

SHA1
c41af6d34c54b01080bb835e747869497d076b82

SHA256
3eae6132e557ca5e20da8c86df828dde18815985834aaa89b43f18f2ceebcd8b

SHA512
5aeceb35e059b448720d8600ffa4023627492fccefe3a11723d40d09c18510e2c1464899740a9e4328e960377669328d61ceaa470e21921637df9036b365c3cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e5ad.TMP

Filesize
48B

MD5
e1869c4cc0bf543cbc67a954e78e57be

SHA1
56e1de8202d444d1bb2d97b104ec2679f29b983d

SHA256
3c935e8f7fac5957eb8f50b355b00e57bec6a245cd46afc19149d90f3bf32dd1

SHA512
4aadc56bf8451d490045238bf62c15f0230cac668ec3031d724bc895c83304f59d199f31aabb9616c923b428aa09b77a222ddca0972886d5a6578ea612a98c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
5bce2d3efbb9a506d78920968aa0ee4a

SHA1
920d70c5bb9315671f35cba3dbff20cfe5eb1e12

SHA256
e3d0cd898bb6b7decda694907c4914b8d24e0692bd5d89eb62d70342a77c37b4

SHA512
7a56891c9888a71a4d96b985c7a5d176798bddcbb8a512b3461181cd52064f27fc1b4d9b4e209f2dbdcbe6723d35d2a660c80cb3279ad0641ca78c8c0c92186c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
c31e124907c5fbddce682c08863f3417

SHA1
6fe0f207b6426a0172dcc8c72f90ff534137eec9

SHA256
a4799bc0ecf47d2a8bdaeb778f59a88bd9db5d8f28b5c31c857a76ab4c0c4688

SHA512
a407a80a5629586d9df7aa801e9dd561c61b0faad0d80259b499c3903b1484b563083369563a4adbb2bc874d514be2998d1feccf9d08cab64e329930c3deb799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58173c.TMP

Filesize
540B

MD5
f7359a7001fbf03c26332adfcd4ddc69

SHA1
57ce9118bfc18de16d6fd206b1e2c7ee109701dd

SHA256
972490c986de9f983cbf28e3aca2c82aad15fa4ed64f20ddb87a983b49916cb3

SHA512
6c24f3bc4aa66d721e0ce88156b1dc1c57533b3383f8fb58c7c4012106121ac6900c69b9130bc1753d888e62e8103503272c2694f8a470cfaa07c7b4dbba22da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7ea3f3a2f5488e4b1ae139a65c54e8f

SHA1
eeea9df39dad050530fe5d8dbbbd6f58430f3892

SHA256
e9d59423ef14c4ce3bc551051458b11b90d024c3c1463a1f085f6f179e4e9239

SHA512
cc45220c0bda01a453c7f109dac61d96b72f53e679f822bfce663d8433f43cb4ee5c060bdd996bc658e88ce45f23fb5bdb19a99d6dd856efc587d0cc183f3a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
103ee050d4a6fba8e33d7dd83d433afc

SHA1
a9410c9adab05abb7b091dc32598b0eaac5034c5

SHA256
ccf8d8c87dc319b44cedd6f7b96b9d272d20edfeb8bcb3c1cea682d925ec7aa9

SHA512
1e8a36f9f4e06278012044fb6cc01527ac73003b85afc33430daaddd951b0df4124291b004a07b6a99a6b320db8c4c3c9bca6e8de175875682877b7a6005b5f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a580e5f3ccd9b6705dba53000de2e8be

SHA1
5d459ba5c8a9220b4e0c4a206512e93029bf0007

SHA256
fbdce8f1d73a01b193fb7fdde2c4efa253d9127e3b3d08d2908406bf42474a58

SHA512
776cf6d275f069a3cc80d9b1d3cab6e2785be58ac5a800dde7f4e3003d7109a2882fe4f665c7c8ab2ded5352c12cefe2209b757f9e5a5bc5e6b53f29a233a316

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0S7OE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-53BHE.tmp\setup_JfkqQN8zu6.tmp

Filesize
694KB

MD5
db27fff497c241b83080efd96ea21dc4

SHA1
d545153fe0a3694df421dd79bf2d389ca1b256b9

SHA256
f27a4dd75435dea477405ad2fe2b4b16b1ac56a25e4ac2ba1333467c21d5e377

SHA512
c76b24fbed2fe4d3fa217f4337c9db54e76897b9675b37a2fbe99d5de63f51708fed566905873b8359bfc4b38d7a8b4623ab4b0a103e9996129313e1171bbc40

Download Submit
C:\Users\Admin\Downloads\setup_JfkqQN8zu6.zip

Filesize
6.0MB

MD5
83255314da75521ddbc5241a3cf8ac05

SHA1
6bfdb5866d0d17127a7a9e26cf4fd2ff4a5d2297

SHA256
9d82407032c100d051edfa0859bff7d00a06563dddea5f8e7241969f4df584d2

SHA512
3bdda9bb3524b6dd1643cb9ba5ac9d6faac0a5edd840888e8108a39214f6059572424330892f985d29ed0c295a08fe948a91d937284f656236f8756cb3a08386

Download Submit
memory/1308-375-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1308-446-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1428-447-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4852-445-0x0000000000400000-0x0000000000D0E000-memory.dmp

Filesize
9.1MB

Download
memory/4852-444-0x0000000000400000-0x0000000000D0E000-memory.dmp

Filesize
9.1MB

Download
memory/4852-448-0x0000000000400000-0x0000000000D0E000-memory.dmp

Filesize
9.1MB

Download