hxxps://ify[.]ac/1Ic5

Resubmissions

15/07/2024, 05:57

240715-gn455sthle 8

14/07/2024, 19:00

240714-xnnq6avfrb 8

Analysis

max time kernel
289s
max time network
305s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14/07/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ify.ac/1Ic5

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3244	setup_gORHfqKNGu.tmp
4980	cd2mp3converter32_64.exe
3264	5EKrQnW.exe
2648	setup.exe
1884	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
3244	setup_gORHfqKNGu.tmp
2648	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
3596	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 47 IoCs

pid	pid_target	Process	procid_target
4824	4980	WerFault.exe	112
424	4980	WerFault.exe	112
4328	4980	WerFault.exe	112
3588	4980	WerFault.exe	112
2160	4980	WerFault.exe	112
412	4980	WerFault.exe	112
2916	4980	WerFault.exe	112
4228	4980	WerFault.exe	112
2332	4980	WerFault.exe	112
2372	4980	WerFault.exe	112
2232	4980	WerFault.exe	112
4972	4980	WerFault.exe	112
5012	4980	WerFault.exe	112
4648	4980	WerFault.exe	112
3596	4980	WerFault.exe	112
1396	4980	WerFault.exe	112
772	4980	WerFault.exe	112
2648	4980	WerFault.exe	112
2028	4980	WerFault.exe	112
3132	4980	WerFault.exe	112
4052	4980	WerFault.exe	112
4652	4980	WerFault.exe	112
4852	4980	WerFault.exe	112
3204	4980	WerFault.exe	112
3900	4980	WerFault.exe	112
1028	4980	WerFault.exe	112
2208	4980	WerFault.exe	112
1916	4980	WerFault.exe	112
4432	4980	WerFault.exe	112
4760	4980	WerFault.exe	112
3112	4980	WerFault.exe	112
72	4980	WerFault.exe	112
1480	4980	WerFault.exe	112
4552	4980	WerFault.exe	112
4332	4980	WerFault.exe	112
1824	4980	WerFault.exe	112
4100	4980	WerFault.exe	112
1108	4980	WerFault.exe	112
4416	4980	WerFault.exe	112
2028	4980	WerFault.exe	112
4972	4980	WerFault.exe	112
1204	4980	WerFault.exe	112
2952	4980	WerFault.exe	112
2980	4980	WerFault.exe	112
3196	4980	WerFault.exe	112
1528	4980	WerFault.exe	112
5080	4980	WerFault.exe	112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\setup_gORHfqKNGu.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
1208	msedge.exe
1208	msedge.exe
784	msedge.exe
784	msedge.exe
3376	identity_helper.exe
3376	identity_helper.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2288	msedge.exe
2980	msedge.exe
2980	msedge.exe
3244	setup_gORHfqKNGu.tmp
3244	setup_gORHfqKNGu.tmp
4980	cd2mp3converter32_64.exe
4980	cd2mp3converter32_64.exe
4980	cd2mp3converter32_64.exe
4980	cd2mp3converter32_64.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	powershell.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
3244	setup_gORHfqKNGu.tmp
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1508	1208	msedge.exe	80
PID 1208 wrote to memory of 1508	1208	msedge.exe	80
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2228	1208	msedge.exe	81
PID 1208 wrote to memory of 2440	1208	msedge.exe	82
PID 1208 wrote to memory of 2440	1208	msedge.exe	82
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83
PID 1208 wrote to memory of 4796	1208	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff63443cb8,0x7fff63443cc8,0x7fff63443cd8
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,16283472514132611610,10403283635926005314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2072

C:\Users\Admin\Desktop\setup_gORHfqKNGu.exe
"C:\Users\Admin\Desktop\setup_gORHfqKNGu.exe"
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\is-8CG8S.tmp\setup_gORHfqKNGu.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8CG8S.tmp\setup_gORHfqKNGu.tmp" /SL5="$802C2,6461016,56832,C:\Users\Admin\Desktop\setup_gORHfqKNGu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3244
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
    "C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" aeccfb950bacd31976e9d3f8e795b245
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 840
      4⤵
      Program crash
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 848
      4⤵
      Program crash
      PID:424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 888
      4⤵
      Program crash
      PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1044
      4⤵
      Program crash
      PID:3588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1064
      4⤵
      Program crash
      PID:2160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1048
      4⤵
      Program crash
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1104
      4⤵
      Program crash
      PID:2916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1104
      4⤵
      Program crash
      PID:4228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1112
      4⤵
      Program crash
      PID:2332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1132
      4⤵
      Program crash
      PID:2372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 972
      4⤵
      Program crash
      PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1348
      4⤵
      Program crash
      PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1580
      4⤵
      Program crash
      PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1188
      4⤵
      Program crash
      PID:4648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1592
      4⤵
      Program crash
      PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1836
      4⤵
      Program crash
      PID:1396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1984
      4⤵
      Program crash
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies
      4⤵
      PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff63443cb8,0x7fff63443cc8,0x7fff63443cd8
        5⤵
        
        PID:4288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1696
      4⤵
      Program crash
      PID:2648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1792
      4⤵
      Program crash
      PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1688
      4⤵
      Program crash
      PID:3132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1800
      4⤵
      Program crash
      PID:4052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1696
      4⤵
      Program crash
      PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1632
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1636
      4⤵
      Program crash
      PID:3204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2080
      4⤵
      Program crash
      PID:3900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2116
      4⤵
      Program crash
      PID:1028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2124
      4⤵
      Program crash
      PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2132
      4⤵
      Program crash
      PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2152
      4⤵
      Program crash
      PID:4432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2124
      4⤵
      Program crash
      PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2136
      4⤵
      Program crash
      PID:3112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1204
      4⤵
      Program crash
      PID:72
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2196
      4⤵
      Program crash
      PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HsfrEMTj\5EKrQnW.exe"
      4⤵
      PID:1204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\HsfrEMTj\5EKrQnW.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2160
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2164
      4⤵
      Program crash
      PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2260
      4⤵
      Program crash
      PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2164
      4⤵
      Program crash
      PID:4100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2272
      4⤵
      Program crash
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\HsfrEMTj\5EKrQnW.exe
      C:\Users\Admin\AppData\Local\Temp\HsfrEMTj\5EKrQnW.exe --silent --allusers=0
      4⤵
      Executes dropped EXE
      PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe --silent --allusers=0 --server-tracking-blob=YTIwNzE4ODA0Y2IxYjgyZDYxNmEyZmIwMDFhMDY2OTg1NzU4Y2EzMTJlODhlMTgxNDZlYmVmNjk1ZjBiMGRiMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5ODM5MDcuNzE3NSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiZmEwZTllNGEtODViNy00ZTY3LWJkNjQtYjc1NDg3ZGNkM2JjIn0=
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2648
      - C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x71a6b1f4,0x71a6b200,0x71a6b20c
        6⤵
        Executes dropped EXE
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        6⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714190511" --session-guid=39cba5de-5211-489f-a6c1-2b286572f7a3 --server-tracking-blob=N2E5NmI3MmEwNDJmYTA1ZmIyZWVkMWUyYWVkOWIwMGZkZTBlMDM1ZmE1MWNmMjYyYWY2YjNkOGE1OGIyNWRhZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk4MzkwNy43MTc1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJmYTBlOWU0YS04NWI3LTRlNjctYmQ2NC1iNzU0ODdkY2QzYmMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2006000000000000
        6⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x338,0x33c,0x340,0x308,0x344,0x70d5b1f4,0x70d5b200,0x70d5b20c
        7⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1692
      4⤵
      Program crash
      PID:4416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2164
      4⤵
      Program crash
      PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2252
      4⤵
      Program crash
      PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2204
      4⤵
      Program crash
      PID:1204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1212
      4⤵
      Program crash
      PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe"
      4⤵
      PID:3360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2320
      4⤵
      Program crash
      PID:2980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1784
      4⤵
      Program crash
      PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe
      C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe /did=757674 /S
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2308
      4⤵
      Program crash
      PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 2260
      4⤵
      Program crash
      PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4980 -ip 4980
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4980 -ip 4980
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4980 -ip 4980
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4980 -ip 4980
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4980 -ip 4980
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4980 -ip 4980
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4980 -ip 4980
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4980 -ip 4980
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4980 -ip 4980
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4980 -ip 4980
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4980 -ip 4980
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4980 -ip 4980
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4980 -ip 4980
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4980 -ip 4980
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4980 -ip 4980
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4980 -ip 4980
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4980 -ip 4980
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4980 -ip 4980
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4980 -ip 4980
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4980 -ip 4980
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4980 -ip 4980
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4980 -ip 4980
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4980 -ip 4980
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4980 -ip 4980
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4980 -ip 4980
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4980 -ip 4980
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4980 -ip 4980
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4980 -ip 4980
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4980 -ip 4980
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4980 -ip 4980
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4980 -ip 4980
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4980 -ip 4980
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4980 -ip 4980
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4980 -ip 4980
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4980 -ip 4980
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4980 -ip 4980
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4980 -ip 4980
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4980 -ip 4980
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4980 -ip 4980
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4980 -ip 4980
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4980 -ip 4980
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4980 -ip 4980
1⤵
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4980 -ip 4980
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

Filesize
5.1MB

MD5
a7bac34961f182601ac051b2182b7aa7

SHA1
715c3fe1569efa98e364484a633c651d16c0f2f6

SHA256
901950d206da9af9b50ac4ad96eee9c7157cc1bd9d683f21c98d240e8ad6ee25

SHA512
f0fede361fd1db3193aafe536840fd2e04f060ed66408cad403ffd8f75fd8b55e5aa2ca2a50507f5a0a64a00c99341788b204b1fba1c39a1ceb56538c9e304df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0f062e1807aca2379b4e5a1e7ffbda8

SHA1
076c2f58dfb70eefb6800df6398b7bf34771c82d

SHA256
f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca

SHA512
24ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f3725d32588dca62fb31e116345b5eb

SHA1
0229732ae5923f45de70e234bae88023521a9611

SHA256
b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140

SHA512
31bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
824ecb6d055dd1b28f91cf869f6d4523

SHA1
ad204c34864643b37b55a7ba4e215a8bf66036c6

SHA256
1f530323c90a3d16b1998069d9cc9f61e7e58fba9c1d8be1ff109288a8bebe04

SHA512
c92261518d21a33e9458d85191a7e3c0bcf40cc540533a51e629dbd4b93cc14e29071380a2b9ef7e0bd1f0ba8f62dcaf660c0e8d325f02e314d077eab4c8b82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
bb4ae28ac904cdfa9982bee72337dee8

SHA1
46f490d312d34cb034c7b3977052568ae4efe18f

SHA256
d62ee4dab77cbc0a50aaaac7f50cc5c383798b2e0e175d9f313738ca96cd757e

SHA512
cbb6882a3f8a4531313604fde21e6cfd85c09b10ef558c9b6ab5e3e29cfd489d8d13323886ebde60f4f4051a8a8f28e4f1af6ae84b6295524a0e3f1c10b55b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
797823508fc188374fdb77e99c9a6baa

SHA1
37b25e483a36e21f77f7cb4d14f22ab3644b6f8d

SHA256
98a3b0ae371f407d43b60477a03f514d5a28453890367dc74037c97d3aabb0c2

SHA512
9e76e2c0c32c755218f808d7d89842b2d69b5c38a48e6ae162053f2217093d053409c63d6dec0bd0c31e24451ad3f65d4bc23667a4e213cb97bf8330e18d52c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
11dc4f85d6ebfc7b56230acdd04c231d

SHA1
fa83470fd62063629a328f7c1133024a40a56149

SHA256
f98d9ea57a8d18298dda49fba6f830d21e1d0d3d0b232e3efbd4f36f8f7ea413

SHA512
f98c1fff1b2c6aad36cf3e4cc9bb86ee3746dfcd398e10039459577db20ebe714d8cb824cd22effb80f598eb4df2d336e868d3d576c01a11cd8eb7527d5dfecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
79dedca503ac0802cd6086f83d830edf

SHA1
f4767861ddb737c12db800aab30f11739729d8a0

SHA256
f4775cf309cc202ed740a7ddda60571955aef512695c24c6729b3eb47e380ab5

SHA512
a73d4c3df1b785e0f9e27b4233e9fdcea8832754485dfca334262718531e641df1be36d52cce7c1313a7b2210c8b76cbd7bd950a9675bf61a0c5193199de66e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f27f50e5cded33d77c1dcb7e53e8456d

SHA1
2af652cf4e62b73ac2046927f11f80f3172f01e0

SHA256
4393df6ad2d13a6a042543ba2bd857a7467369378b16b9d51fe80d64ac0027df

SHA512
5a4c174e224f6fbe547c58bf9dda93cdcdbdb7b93b17f66b59e05f4157490265a9740d8e848de6d8c681bb38922699635e89f494bd9b54d41125494059e05258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f0f030cc26797db7e60cd0969247dbc2

SHA1
9ec695d82dd3da7aec47709f0daac827a5a0bb50

SHA256
f9717dabb6a8dffca0190401ae9d497ef2dd260f6e16592856c85edb89fe16a7

SHA512
c806dd880cabf1548c7819fb04a2da56df21e03d716305a96badd987b196fa3b8f6a5fd06b2687028dc6bc9dc6761cf3d9539d8a9ad22b0bf2185d740a599c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65121da5ed0978b5329235e8da40aaf7

SHA1
2ce78de4746e86c90130e4c3e00d2d7306c92d70

SHA256
9cf89b8426d30edf39d5ea41cddc3217c508736a223c92547172360f7d4e9d77

SHA512
41fef4fd51268b55d7e762641a0f041fa3907a1b16a85e38c37500bb2e57fbff289f0097d0fe6ab5f0d89764ba80e0390292464577c4c292522001ffe5cc2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
431aed1a40636efdc4d92a54164f0842

SHA1
01aa6ff1a66246882be732da4d62245ef53177c5

SHA256
3a58a158f51c585821d1e375898e6b27a94ed2828b868e73f20f90a866abd6a5

SHA512
746743da73b2e29e7fb6c48713aa287beb9be9fd5a339331027cee71bea4d86126c5a4a0b60c1115e967a18009e3005a13af3f4d1b5eb1d7115a58a8013a8323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5565c325639bc38cf8f61c886c50b392

SHA1
7d16515f7b7607824e0d4099cab5177ed08c3e10

SHA256
944269b4ade97ddb8ad90d4109a0630170dad9cae1b856644d26923683ba597d

SHA512
ffff93391ec930ebf564d7abb500508e79f8214d8b1cef2be89318c4ca744a6e414dc42517c75c8fc16cb467bc7cdc4c55cece28c0cebb14d31b6844bf15e942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ed6d.TMP

Filesize
48B

MD5
3737261bda2472c833dc164f3021d63b

SHA1
1e976de495caf3d9d9dc2ee90a440bad92d1b69d

SHA256
70fc9e0c396accd440e50909d654329088345bb46cde0e2712d57b2d9f5f5f6e

SHA512
5646e3e703c4bc5b1bb8aad993609d009f10fc5ce4fe6cd5cf56b803f03fa1c4e820bda7347efef3b71e59962b40252c6a7dc82754b90cc5eec49d04caea43a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08fa62be4d27b3d5cd8465cd01ed5140

SHA1
46a456c6da1799e394458506c2bb72b0e6e42ef8

SHA256
a02f8b01c4c95468b6cbcd0a44f17b77f5b4d2fb42b137afb3ce36bb7c370d98

SHA512
c69a0190201b7072d55428e87b9542b8dd79c567459d6e53a126b39df12d12f34d793b1f5992d4413ae6b0e757a13d6e1c14bbed121857f76ae7210743b70d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8c5b35735d295cab6881b0d965a2b86

SHA1
a263c1632149f773eccc3eab98cefcd70fcc7bc7

SHA256
f48268d763d79d024d319667f4b2d500b1b5c3e559e931d9c79d9c89038224a2

SHA512
8567236ea55c40842d4067ea1623a7cf33f0798052c58d6a56e7e75d465cb0f70a8cb18975c260db9833245c8bda55809227ae242f7c676b2cda6f9f79d031a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
540B

MD5
9ac34e3c1f4b3a1c3293467f20403944

SHA1
ca98a81f49a1cc240c51a916ab7494e1adf9a7a5

SHA256
9f45276bc7222ee1996e7ee3bfb220e2666dc53672b66d9422733af8ef6f35af

SHA512
aa87ecdca93f816dc4b6fd955315d5d6e859005c6ef431158f71feba7024174b609c7648c46307f72634f80b9567df83bf49793dfac8376c1e41def42c713c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
125d5169e5a3afd03febab2099b95fc5

SHA1
89227c23f7c4d57ef3071d80c2e912f1e5bf59d4

SHA256
4b81b8982915dba09485616a99f877174393a67fe89ba6839de06d922ba422b5

SHA512
ad49c23dedd0c8b5c63193ef0c09e729c169a73b7f67e56d1765a84ec5e2b8476f1799e0059cc524a4d423c11b90ef0220e57a982a865d1a43234a01d20b2e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ddb1d5e886e8290f92d08a93735822ae

SHA1
bc89f14e22d649df2312bacd89feb95ac861e583

SHA256
8f26848cfe661f1065585faf91750a4db383e1b21ee42f6511417f31a71732dd

SHA512
88603afd0993805f893404d4dd37de992a94faef67126fd4d573cd1e155975516f571062ce471e516a6166f74d984c205c9851ad4f8158d28e26dd0997b43a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58052b.TMP

Filesize
540B

MD5
729c31ab19d245e597847dd55616bbdd

SHA1
076cac787b35644b157ab9dae2182d9f914b7fd0

SHA256
460b626db7dc123a0fac3d09b789d11695cfe0258812ab58d06c3c109d519904

SHA512
a6bf2abbebccbdcca56887a332ab98af4abc21a57a72570bcb7f9bcde81c20994c8dad7891ad31d594dc2d1ae7f1d0ab1ff6a57b77f610b32aaa10e49e1060a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c91e220a3b265671ed738c1997d4df2c

SHA1
577664588f64908bcfa4983346f410682d1c9822

SHA256
63352f606c2e084f247ca1267a26fb55858b6562c78bd3b316f6c0b387c1033c

SHA512
5cd1129e4e3653d5866296061250ab5ab57e11e47fee95b87ee0ed706de3d2f6399b0812aa43d28abd1e2dc55797a32c5ad6acbe78f8db58d728f1ce9844afca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
15059da9a96f557822775068dce7374e

SHA1
f671c27fd20fd3793de4781b642d9d7528088e0b

SHA256
7ca8f5a1494cba2989faaa6951e8fa7c529254df5448d9d621d286a3a84c6701

SHA512
069303106f207b1df7c140cca2cd763afd62056288b2bee55591f3ef98f7c07bd5605cf43e73674ee56d4258383acb3e62e3d7929ca210cb728e36ef73f56f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dd781837555402b6fc187ae833763838

SHA1
66f0e5522a1f1b3f811fcd73764c5af7f615d4ac

SHA256
c1437e153ec89eb9fa45b21645b0c7a77e8d5e286bb22e71347adab2240cc253

SHA512
1baa5e78055d5ab5443d8e1036522359537dd495c150258fa2d98089f156ab308d573fcd6501953dead6e0ce6351d869a953290c8d0f6039117f1a2828c3deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CC616BB\setup.exe

Filesize
5.2MB

MD5
9f1b088ecc5e2f36939797060e8f5956

SHA1
78adf95b81e539d1450c61a8d135f5f836bcd4a9

SHA256
1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13

SHA512
6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212

Download Submit
C:\Users\Admin\AppData\Local\Temp\HsfrEMTj\5EKrQnW.exe

Filesize
2.0MB

MD5
0819c526f1e6c65399a07386d994ba88

SHA1
13331f1fc16adb86a7678fc2ce5b323ef17e9392

SHA256
29128eeb9e9cce39f384d795831c37a0d5c8f3a86264480a31838326408328c8

SHA512
d84fe580cdb802e42fe570bfa9602b0a5f5ca3b32a6a39dd8420768b80efc95096690b2cca6f8d96e8bbde735f79297c74d26d5bb2c44c6f8a5e7b6af800b0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407141905108342648.dll

Filesize
4.7MB

MD5
82234053e684a16ea0b40a7f208f3233

SHA1
00381b28887a12f9ef8ee51cdbcc4320679ae88b

SHA256
23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23

SHA512
be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlxsh0ra.xir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe

Filesize
6.3MB

MD5
85521f65a8457b496a15051e1f7b2f4e

SHA1
64e28d4138d9fa800f10307eee7d2071d46bdbf8

SHA256
85cd566ed279dfaf3065bef880abe588fb8f4332789d64749b9261e854e15e6f

SHA512
346772018d2c5b11950683ae21052083cf6c2fc46208a9f9b538f206d3ae0f51bf92b34d820a2acabbbcd026702c749f10d929877427f4c692b25949cbe9f474

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwmZLuYw\whxGwEdaI8L937ift.exe

Filesize
6.2MB

MD5
970d7f500bffeacec7003e642c8d97ad

SHA1
f8228c7b125c93a4435bd526562d24e33ae96b2e

SHA256
e022d6189955e62551edc2de2869045dfe333fa8e37a7508633d863a1546318a

SHA512
524ceb617f17bef9f8e13d7a407d51236a3253708d397e2e72123c05168dcbaf8fd8dbeda764f435f3af976c421db864c5140b274041aa31d2ae1be8a3cb4e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20RNA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CG8S.tmp\setup_gORHfqKNGu.tmp

Filesize
694KB

MD5
4918b8c5c86bccebb8ebd8e0ca1974e4

SHA1
97c9e584873d142bc5376f706c45cd3759fb40c3

SHA256
24212e4cb8e55f1c34dbb62e1ffa94f049d87eb562c8edac0172bd89af30a7a1

SHA512
aacd6894066f329e4b8eccc355edcd6809d33f572d8ece0fa3f13e2fa1962a71a77fd414510d59fcc9ab52d80bd504f6cabdbe6a7d773300675fe7882efe79a0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
bc840347d6ce8f2de6cd6b63cd1d0795

SHA1
a2d3e6b6e6083f9bac5e70e95113bde215ae38b4

SHA256
509e9c4d116457451809a1954a97810dfc2ca2cd0580fae6401f8049428900a0

SHA512
ba1c3ff06228df3e7b30796f0722ad446504fc3a4ee71b7ce785fa70bd15cdc4082cedc1ba14fb887ad1a452fecc4d4843f5d5c0a272be21c0e30941671004f6

Download Submit
C:\Users\Admin\Downloads\setup_gORHfqKNGu.zip

Filesize
6.4MB

MD5
d99a7840918ded0927002f987bca02a2

SHA1
216669ac8208f32b1206e7456ec74d4178905cc6

SHA256
4075aab64abbad8917cf40697db37214b8a03de0aa6a8cbb1afb52b28fb4843d

SHA512
81906fb19c7c9fa24b1ce35b23c79cdf507d82832a289215807f35babe2916cbff9be66b5f25e500ff30cac064239baf2bfe714410ffc03b971b5de9d8f5c258

Download Submit
C:\Users\Admin\Downloads\setup_gORHfqKNGu.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2272-504-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/2272-491-0x00000000063E0000-0x0000000006446000-memory.dmp

Filesize
408KB

Download
memory/2272-502-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/2272-501-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/2272-503-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/2272-487-0x0000000003120000-0x0000000003156000-memory.dmp

Filesize
216KB

Download
memory/2272-488-0x0000000005CD0000-0x00000000062FA000-memory.dmp

Filesize
6.2MB

Download
memory/2272-489-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/2272-490-0x0000000006370000-0x00000000063D6000-memory.dmp

Filesize
408KB

Download
memory/2272-500-0x0000000006450000-0x00000000067A7000-memory.dmp

Filesize
3.3MB

Download
memory/3244-482-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3596-609-0x00000000057D0000-0x0000000005B27000-memory.dmp

Filesize
3.3MB

Download
memory/3596-611-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/4980-483-0x0000000000400000-0x0000000000D18000-memory.dmp

Filesize
9.1MB

Download
memory/4980-466-0x0000000000400000-0x0000000000D18000-memory.dmp

Filesize
9.1MB

Download
memory/4980-465-0x0000000000400000-0x0000000000D18000-memory.dmp

Filesize
9.1MB

Download
memory/5116-396-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-481-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download