hxxps://ify[.]ac/1Lcy

Analysis

max time kernel
97s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ify.ac/1Lcy

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3572	powershell.exe
1324	powershell.exe
5336	powershell.exe
5944	powershell.exe
6132	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4684	setup_gw3DvMM1Xw.tmp
3288	divisionzex.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
6112	forfiles.exe

Loads dropped DLL 3 IoCs

pid	Process
4684	setup_gw3DvMM1Xw.tmp
4684	setup_gw3DvMM1Xw.tmp
4684	setup_gw3DvMM1Xw.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_gw3DvMM1Xw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_gw3DvMM1Xw.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	divisionzex.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000023549-665.dat	nsis_installer_1
behavioral1/files/0x000a000000023549-665.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3936	msedge.exe
3936	msedge.exe
3344	msedge.exe
3344	msedge.exe
4192	identity_helper.exe
4192	identity_helper.exe
1928	msedge.exe
1928	msedge.exe
3288	divisionzex.exe
3288	divisionzex.exe
3288	divisionzex.exe
3288	divisionzex.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
4684	setup_gw3DvMM1Xw.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3828	3344	msedge.exe	82
PID 3344 wrote to memory of 3828	3344	msedge.exe	82
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3976	3344	msedge.exe	84
PID 3344 wrote to memory of 3936	3344	msedge.exe	85
PID 3344 wrote to memory of 3936	3344	msedge.exe	85
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86
PID 3344 wrote to memory of 2300	3344	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Lcy
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa23db46f8,0x7ffa23db4708,0x7ffa23db4718
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12672522417870864375,10981937516534830217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\Temp1_setup_gw3DvMM1Xw.zip\setup_gw3DvMM1Xw.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_setup_gw3DvMM1Xw.zip\setup_gw3DvMM1Xw.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1192
- C:\Users\Admin\AppData\Local\Temp\is-JN3TB.tmp\setup_gw3DvMM1Xw.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JN3TB.tmp\setup_gw3DvMM1Xw.tmp" /SL5="$5028E,6606236,54272,C:\Users\Admin\AppData\Local\Temp\Temp1_setup_gw3DvMM1Xw.zip\setup_gw3DvMM1Xw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4684
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "division-zex_9281"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Users\Admin\AppData\Local\Division ZEX\divisionzex.exe
    "C:\Users\Admin\AppData\Local\Division ZEX\divisionzex.exe" ee943def5e0ee78390b2cc813d7edfe3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/lk2c0qf6y2j1r91/SkyRant.rar/file
      4⤵
      PID:3864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa23db46f8,0x7ffa23db4708,0x7ffa23db4718
        5⤵
        
        PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\GXWBVEIn\nobu6KWM2XlGXWu6u.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\GXWBVEIn\nobu6KWM2XlGXWu6u.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe"
      4⤵
      PID:1144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vuWEmD0U\3mhyJxFt.exe"
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\vuWEmD0U\3mhyJxFt.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\9NPgx1Ow\KWlbU7VyHz1bSyTvd.exe"
      4⤵
      PID:5536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\9NPgx1Ow\KWlbU7VyHz1bSyTvd.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\vuWEmD0U\3mhyJxFt.exe
      C:\Users\Admin\AppData\Local\Temp\vuWEmD0U\3mhyJxFt.exe --silent --allusers=0
      4⤵
      PID:5612
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe --silent --allusers=0 --server-tracking-blob=ZjJmMmM4Mzg0YTIzOGU3OThlZjg2MjdiNTlkYTZhZDUwMDU0ZWRmMTRiNDQ2ZTcwOWQxODQ0OGJhYTNhNmM1ZTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3Mjc1MjAwNzUuMzc5OSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiZTViODYwMjMtMTNkZS00YWQ4LWFkZDgtMjk3ZjExZjEyMDA2In0=
        5⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x324,0x328,0x32c,0x320,0x330,0x6e7069d4,0x6e7069e0,0x6e7069ec
        6⤵
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        6⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5796 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240928104127" --session-guid=576bde3c-588f-46ac-8ceb-bc864fc26dcf --server-tracking-blob=MzE4MzNhMTU5YWJhY2U2NDY0NjRiNDYyNTFjY2MzNDM5MTk3MjEzYTQyNjUxMTVjYzM4NGE3NTAwMjcyMjA0ZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNzUyMDA3NS4zNzk5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiJlNWI4NjAyMy0xM2RlLTRhZDgtYWRkOC0yOTdmMTFmMTIwMDYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7404000000000000
        6⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x320,0x330,0x334,0x2fc,0x338,0x6d9469d4,0x6d9469e0,0x6d9469ec
        7⤵
        
        PID:5320
  - - C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe
      C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe
      4⤵
      PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\is-CG5O3.tmp\PLwO1cP7W0Dcf8aoX9Sk.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CG5O3.tmp\PLwO1cP7W0Dcf8aoX9Sk.tmp" /SL5="$20344,2960999,56832,C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe"
        5⤵
        
        PID:5836
      - C:\Users\Admin\AppData\Local\Play Glock\playglock.exe
        
        "C:\Users\Admin\AppData\Local\Play Glock\playglock.exe" -i
        6⤵
        
        PID:5532
  - - C:\Users\Admin\AppData\Local\Temp\9NPgx1Ow\KWlbU7VyHz1bSyTvd.exe
      C:\Users\Admin\AppData\Local\Temp\9NPgx1Ow\KWlbU7VyHz1bSyTvd.exe /did=757674 /S
      4⤵
      PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\GXWBVEIn\nobu6KWM2XlGXWu6u.exe
      C:\Users\Admin\AppData\Local\Temp\GXWBVEIn\nobu6KWM2XlGXWu6u.exe /sid=3 /pid=1090
      4⤵
      PID:1376

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
1⤵
PID:5848

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
1⤵
PID:5632

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
1⤵
- Indirect Command Execution
PID:6112
- C:\Windows\SysWOW64\cmd.exe
  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -WindowStyle Hidden gpupdate.exe /force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indirect Command Execution

T1202

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Division ZEX\divisionzex.exe

Filesize
4.2MB

MD5
9798f019c4a81b06009db7ba96d29413

SHA1
7ca903d01fa8103ab9dca8e451005064fdc4f3eb

SHA256
298dc7219e7145e9e41e4b8a9d658b7bbc345b1590fbdc91b4897deabeb91fb9

SHA512
a814605177fc3755101b07803e8fb4c97f17e1d37cb40a496fc1ed96110fddea858c13a7a3bc8e0c767dcf52d9a7367dbc50b34c9aaf010f89d66caa79ddee68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
0d60a92aa5427766a8731289449471cc

SHA1
cc01d42ea1a6700940ee2d44b120c69295f3d310

SHA256
3fb609971d9f6cd7d122f1284e9e09a5c219ef2a11f4c1b76afadcf9dbeeed0c

SHA512
7b9b4fa99b4f96e7829cfdcf9ede67d925dd66e4be5a6c1b3c0563593bc70c015bbee96068f681d710b20e5e8431452e8ab17e3f6101f71458ad6fef4b2a7493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
fe52036fc06d17a3ff2878776477958e

SHA1
88e076de5b538e49cade2fa7632440123d464db3

SHA256
9baf088ef6406baf6eb17e685fa15aa856e868d268d65b745c22681a5c873b9c

SHA512
ef69b2a26b6e823a12f1b0e07cf14f646ed354859d88f15ffc43b132ba823f7d18f732162af3e1c93976532c1c04f24ae7b37fd2630fa0ed91b66c96f72bb1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7b39f0e39252825765ad7cb313003341

SHA1
2a880e2e8b4a3364f9191ffb6ed0cac98784c7c2

SHA256
b862326555842c3a9e87fbfbded94108c2c8041bc06ae9e7860fec33b1fb263b

SHA512
a56309662e4657dcf8c2054bf6fe630cc13b64851b1ed8940e841f35772baf706b37b5d57b5df5c3b97f726f47c30ee2c85b959734e347e1e998ac442350a995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fec8fb19e46e9b11c03007909bd9c238

SHA1
580f89a31afcaaf1558ae2c8b7e0b1402ca0e138

SHA256
65c28c6a88382867dd0bd1f443139d417367d368e61e78d244ba1674d8a7eb00

SHA512
b391a9c8b3002638948629511f899b6b43de7d5ac11fe7467e4a17769f5d0b64f451b6e4a4f3d73cc0d4c4c1dc76ff496c92a039ab63ad531e5293d44a15ccf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b03b1deb5b24a1ff91456f2c92f72b60

SHA1
1b0761a59bb25887a0854ccdf998a0f12ddf23be

SHA256
85bf3f3c0fccf3af713b0d59e871e74bc6cfd1e00edf76c260530519a1d703e8

SHA512
3c75f76089b77f220a56b90ddc63bd5912e8f423ed5c6182da593688ddc1017ea904e1addc5f7938cd6ec010155a4a19ed836e1a7c0bbaf7b1ae5aac2c808230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
979000e602ebf8be677b11569bc3dc7f

SHA1
4c2b16f34d8719e50a12cbd2ee787a048d75ba47

SHA256
d25a4a9df7427dbe255e4fd912228b9787c0672d49da71eb8d8226cb06f93f46

SHA512
d2a1241caae43c4eed5509119bde0bed82598eef70e0e8d635095e97b32109098ea1ff08e8f5fe38591338e4ed6f49985acca9697eefee6d93447f352c02ab71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e9a47c64d1c450d9bdccac88036115e

SHA1
87adbeb0005c68536ca3564a93923b83c87f5d7c

SHA256
05c58afd8f5ad37acc32df1f01667037caf46aff4a51a2c91191f474a69dc3c2

SHA512
c2743c2264d3333123086d12a4a79ca352a39701f0093b43b65d0b3a92c77be8eb225eb45856750ea3515de62a48e1804b7c1501628e141f0728a8c5b49e4af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
188ffc31c84df83e645bd0513800a5a4

SHA1
36bd68d624567ba7a416a4fffe53befcc4b7ae77

SHA256
79c328395c26970979e194d3f639934c5cb62f045646b755cf0ca715c7c0818d

SHA512
48bec04334c214fc1f2bb29a491d86b25f1a34b55ebe3d676a11d8ae1c6baf6dab3d8749450c82d170e2c2def1d540975dfd13a0afddde236f575206cd9e7454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
90a29b1ae74e290e8e0b61ed8d2a9a8f

SHA1
01d344131055ef2e093d7bdd5367d70cd15b3000

SHA256
1ee12f0942c05c4e04f2254de24af7a3554623b417b1f1c8d9de88107a3a3656

SHA512
959f2e97fa9e1985de6a57b7a4009d1d81887ce4833ec6c7747d16e7547edd58d02d164b310de9b84f853c3ca808239a6f8ae02b0aecab38d62d4da8684a8c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cfd3.TMP

Filesize
48B

MD5
d24bbbc66f183a52af00a2d8da3c8639

SHA1
52c55c97932e078c14aa4f56b240161540849462

SHA256
eaa6e1a3189165cb56c3495769712a3c005d4a9477f2fe88e3261404c68302bc

SHA512
4eb4f4ad4b602d570cb25c629a412fe4bb0e246f84ecca840ef078c235ab6dc66366476f0158dfed9f0ed7ed0f50da6c4945ca5c1759a700b2c477c7d64a39ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69295b9ccfba2eed8511effc7fbbce4f

SHA1
6db7ca74a061bd9975f1cd5556ef70fa8421ab9c

SHA256
72a3b43d53db695e0fdec31686667071dce3c6e364eb8439fe172e92f7600718

SHA512
437746cdc2774dfbe1b4cca5f5dffacd4f6e1608872988396e47ab6570221bf66f4c48bf80d5845f225557b193d32082282fd63b18175298179206668c1007d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5041f51ff2fa17884485d1b3eb29ea0d

SHA1
b0449b4c549336bcac3ab5f31babbc70aca170f2

SHA256
71138051a33cbdbe6c6fd0417ef1ef878b1fd929725ed40e6a10de977b1ab7ec

SHA512
7af97a9d8f7c2b1321cb744b4ed97eaaf454704059a45ff3d01a68e3ff03e93e06a609a18f86989e9dd0898dcafbcdbbda56078d4a9f885e576934eb409a47fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e52670bdcee715e9bb5e6f3d384b040

SHA1
479addd283b816050adf6c56b5b538c29f3cc35d

SHA256
37810deedfdd3f413a6a0be5df0dc6c6a92dda2a22d27f6b7463849fd06966df

SHA512
f5e274f5a84b17dde7b4bb5ab4b525a4ce58dd8e2fdfbee6a454f41fa8b87b0b0ef89229f1fc608d3c99baafc72c04e96fffb35869cbb25cfa1bc6eceb46bc43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d503.TMP

Filesize
536B

MD5
cb3e929fd9690d76dcfd600eb7d3e8d1

SHA1
f850028c8e05cf86dcd513271565c2951a17df36

SHA256
6b3f6f04518861ccf06dd63b7a8f35133a5d917d155459ea8929a5657bf6a758

SHA512
8d36f45a1c0e1d2b5760df9e9363850bdf72b037710443212d8287704ee67b0c94a8b513bb7548df066afccbcd0cd7fd98954a001485c577c39ee5210b817173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f72c7412fba8d89854700fd63837bef4

SHA1
785c79edf620e013f67a1ed67aa33a39891d14c9

SHA256
dea94f704d71e540a8031296eafe969da2674a9a4675bcc76ab7aa1edde8b209

SHA512
61cedfaabd93407dd259f2f65c10ae882d953d141b87e69a438e92618c7b5800b29410ca46d99c3abcd1c2056be3861cc36bb989dc79615219346a6d07f68953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8d5280c73219a358c773d8f922daef79

SHA1
5c52717174d32707982c1c8aa49f1186b79f0771

SHA256
38b2fd8bbb29448ff6e58b8585544de4f4d70c01dd94975142c5dbde951728d3

SHA512
83e2d0c41f34cdf2034d6c9d299e457b5eb3c083dafcd44086025907d4149469f8fef2e6667f488da23437c1fbb3a32aed54e428ed0bf2102274c4bbb10dff5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c39173c66e354555acd2f98d8b46b22

SHA1
870ab61ea29090dac4e27eab4d74e345b959252e

SHA256
a986ef862dab6902e3d17bbe13f6e8f6bbbfa858e85b6e7f777325a30250628c

SHA512
57a44be068bc2de927fe7b873cd37d7475796a95800c0e8c9233e598fc76637f77c8a2857b20a28e287e36ec64f2e9f8a82cd20a6a13f52d1363f983a4e957fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
96df2c2998e7ca36ff93106c84db56e2

SHA1
c6c504bb8c5bf51512b692e9da42bb06b74a2e1b

SHA256
38c091bd1d854f17ddf04b6a896d8eea633e68041bc4711f7636f4cedbe808b0

SHA512
051b3d5acd6cc410f83911438b1617e87ce82c97bc476c14dfaebc425ab983ab1218bc1a5751c5524110ce1120005af32386b267cdb41879c4c911587ee427ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c3be5ca2dc00b9f16342f9058d11d1d2

SHA1
6c8323585af67321d31d32406dceb9a3ecb9abb4

SHA256
63d3891e968818724d66366ffaa4e04a5553f70c638e1234025936c0e0fad4b8

SHA512
d1f59ed705e6e3660c7b5f4ac5a6587b67af7df6f0473f7ac70ed97c1d3324b933a7ea1f9af2658100ac0326f4e9978febc0c668a4f574e343693f26618535d8

Download Submit
C:\Users\Admin\AppData\Local\Play Glock\playglock.exe

Filesize
896KB

MD5
08fdda2c01f323a0b48cf6ce67233456

SHA1
3e7192f3d6a40036df2bef79659b2c38a27c99ac

SHA256
0875b3c5dd8dd75d78c682c53d2201f16728afd4f100a08950711052ba3cee38

SHA512
682f8bf4e678a1c4d1a6714eced7724947e25716cd514e1b00ac987676652b1428e3a220dea9028327ab40dcbf2c7a187603bed2b94e697d58fb3b3126e6a26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
1.8MB

MD5
13d16fe10b3a5c6192f103f848b5ce1b

SHA1
d1898b7e6687a23c02cfc63c42b3648d1c1902aa

SHA256
e4c34ca22f7fe828db006365809497315a4dc8bc2d037880926a5f072f603bc4

SHA512
826687d01a0a9cf362de00c7ae5b04e46160fa2d1a5a2b014aafc9ca315161407b9f53438bdf70042ac4837f0415b21f521a1c3072c2effdbca0f9ce694fef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe

Filesize
2.8MB

MD5
a6e72f900a7d00686d0ddfe8a0b3749e

SHA1
a5d0cc9b84d467b9b2c8ba6dbc4dd2b49e8dd537

SHA256
bf4fa08f5648a00a9bf0e4b1cf3489189276d9eff63e533cfa005e6e19d16f6f

SHA512
96d3a070123e5929776a833a0bed935aa7576ea85c9af236187fb390422b91be4192906a04eb93eb73fa4b9eabe32192b61cee545b41d21aa9f6f0f744096372

Download Submit
C:\Users\Admin\AppData\Local\Temp\6IPaCWZE\PLwO1cP7W0Dcf8aoX9Sk.exe

Filesize
3.1MB

MD5
3a27bf3ec4cdb80d895ee42e4af13216

SHA1
c6274ebb53c342b93d2f20b610de7bc99c08051d

SHA256
0635763daf37b13df5db5d4efc455bb092692628294f88bccba95306e07eb012

SHA512
a84b07835bdb6799b87aa4e40010f20b72921b57a3cb49ac4819df16debd246832fa3ad8739a812e86223037531490dd50faebc8dd0a40b1330b486c1b343d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe

Filesize
2.4MB

MD5
6402c1c890c7bf0c57a5fc9f96815b37

SHA1
a8f2833d0a4ac4324ef4841e221c3f4d612ee069

SHA256
db777492c1c37af983b84df1d4b08673917a887d3022d4bf223d73b572e2a62b

SHA512
275a050e8679ac63fd8bfc81ddbb68c1ee8d7daaca26367ef5642eb0c975b4eef15d09a132f4839c1d5ffdbd6313da38406a0c5a111df5345f1647e26f0e57d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe

Filesize
2.1MB

MD5
0ce7155b3a1c6b1bc28a2d59b9f59c7d

SHA1
92d437b7e06d163248c2905775433a0e0c8a31ad

SHA256
a2abb021a3a74313b466c4a9ca9b61816e4347cab184fb3d2d87e2f5a5b1d5c5

SHA512
559b99f9a8b25714557e09462a9cd7e1a68ec289258d2682e404a6494988cad7e2271c0440de62ea0cff590966ddfff09d2ac021c976135f8906be4b4c52bc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE5C9D88\setup.exe

Filesize
1.4MB

MD5
ece1c69027220cf6003b0f0e8d1c22da

SHA1
c1f54c6f85bf3ac1631db1ef6776b1cd5f10acaa

SHA256
62f6778437fb64f8b4892641920ef31f613e61b1f98effc4a876f7a6b9ac713a

SHA512
68fc471caa878db3c13e91b68cdcab1a51bf76548d398fa56ee65848ec7ad1284b64d7c3d09d131c244e0afaa6520a7dc0b6f94f56ca01d1a2728e930c9a1213

Download Submit
C:\Users\Admin\AppData\Local\Temp\9NPgx1Ow\KWlbU7VyHz1bSyTvd.exe

Filesize
1.7MB

MD5
e5af91cb71dc6a2867b6efa076e7af7c

SHA1
6ed565cb7375a019d2a494bff3ea983186e238dd

SHA256
3282158b243949496e3d9e3d56a72ef9cd440ab3be40b145f65bea28053e8e02

SHA512
be945dbd5b381229c79138c51bbd8c2f281cbcea760fa3f06c35cac0104f94e4e5f76cc8858e35873acbc5184ce549440f7dc683eb0a147103624689c64b15e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GXWBVEIn\nobu6KWM2XlGXWu6u.exe

Filesize
298KB

MD5
4ebffced85203bc1c3c5d9f3afd1045d

SHA1
35b481018a1087dac0fb57590a57175f51783a34

SHA256
5310a58317bf00aff0e0d9d6f2008b3389c5298b2c53513fc3ba08e887fca864

SHA512
399315951deecf039072779a28fa536b611895cdda6fd570652ddecc6be0322973dc335169955ae0d3018a5687a18aeab45fbfbf80a2a12cdfe0b47080fe8bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409281041258745960.dll

Filesize
2.1MB

MD5
1c35cd7288c7632f0611cc91b0dacb71

SHA1
9613c3da546d283bedc347695e0bdd3127c0263e

SHA256
0c7af8dc0092c2888c76a69878c3eb14ce39f2a1d7f26e4055437eb79f9b0f01

SHA512
7e73adbf0ba41fb3a2616b81852fe9c9f91586da08fe305fe39f4b9e2076079abff7fd1b5622f95d8ce625173767efe09e67fc0d1af64f937fc4128d30d4e9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409281041265246076.dll

Filesize
1.7MB

MD5
1d34fe72cf6524073b07484a8f5d8d58

SHA1
ef34b714fb928ecc638c336246d0d93087706965

SHA256
f2bd081c7179eda1413d814873511de083801017a05506d1a792587f42c27809

SHA512
9cc3e4af49c29f1e2b561ecf6766e4a7b7d97b662bbbe2fc3f5faadef192f1c32643a9df4bd7608753a634cb18a99b586a0b554c07c7318dfec4d6d62f8eeccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409281041273005176.dll

Filesize
1.4MB

MD5
39bec40335855bda1d8a658ab4365c4d

SHA1
67d9151ce278aaf24cb7d9c0dfedeead22566efc

SHA256
6bfa1a0744762da577b700a661fcc1f1530a8fd855973ee7cd4ea281bb8d3521

SHA512
8793c5ed63fdd81d0ba09e02fc3cfcbb1c93a921c2353074a824b420b2b2aeb1afe0cfb54e72a89de555a7a6e524da4d0bd281dab781ada841c2b5d31696d102

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409281041278665320.dll

Filesize
1.2MB

MD5
7a51d04fb71186c627a1e1d687c48a6d

SHA1
648484288408e0c4fa23d13d70d5ff102b317d3e

SHA256
acd5950e71f10c3dac40108412de5da866b2b53b452b5f90eb3ed6180a786800

SHA512
cf9147f83163e0eaea1e6539b414f45dbe9c08817a4af819a880f74050954790edb2a26fd21b59cfb8f23d203bc4bcd72d2840beac491e0b727b19cdc9e96f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdstq3ui.mgn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0I8GJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0I8GJ.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CG5O3.tmp\PLwO1cP7W0Dcf8aoX9Sk.tmp

Filesize
692KB

MD5
2a7327eb722219a687c96c04500ed9a4

SHA1
02c8919f066985d0ad5115a8ebe0bb3fd6c3814b

SHA256
7d4107ac8f7d3094981406db182747eddc8f8bae01d94ffd75ce0ae85ec76d88

SHA512
640dc50389cc7b3341130df41454d8aef9df7d310e9b39ed6557828a919769e81ef82d0e1f959c7aa43bf552d4630c8bc0d0fbf55d861a51db97dfa380dedfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JN3TB.tmp\setup_gw3DvMM1Xw.tmp

Filesize
680KB

MD5
f909fde7b8c0a72b2652b0308c0c77a7

SHA1
1df72b7de662ee5614d1ef207e74092f2b248f59

SHA256
1069a7d28b7d70fc42101384c7bd0ef648ef8155ab482677b7370234f2601536

SHA512
b37bf2a6ddc57a548408884dc0f8d8f53a24ce185a10fe4c3865a5293938d312efd74f40ea112908087c862817440f7b8d9c2ba16e414f674e09410f93856288

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF2AA.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuWEmD0U\3mhyJxFt.exe

Filesize
2.1MB

MD5
7635392060d9b38fa0362f48f7de4d2b

SHA1
481f29a2180f44afac37db8f4a9eee94b773483b

SHA256
be5f0cbea6b591d326648b3338ed63b1bc3a2dfb2833c764caba49952d6cb824

SHA512
f94e1f5d60d725aa5020a3dd18321a7dd744fc5f950e9167fb92db8ef7c6a315fee783eb72107664d7fce3e5d0690112b9d2b2bb46692e8e589efcbe792e34d7

Download Submit
C:\Users\Admin\Downloads\setup_gw3DvMM1Xw.zip

Filesize
6.5MB

MD5
808431c7c784da2c8b79b8cb55d612c5

SHA1
251090364b3fa11e7b6fe6e17943e949debef02d

SHA256
fdbe467bea4c3d85effb2c4a0d6d016b77d6b451ecad85fde90d92bac6620f7b

SHA512
94eb2fa41cdf2b9c3c17915ec1a58a09e3f5d74224fc6e8a05b4ce1de206107f3a3a6a5997d9721d48fdf6afd937fa81e78340ec1a707dfcc9d3da2a770a3ad5

Download Submit
memory/1192-306-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1192-389-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-535-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/1324-525-0x0000000004FA0000-0x0000000004FBE000-memory.dmp

Filesize
120KB

Download
memory/3288-382-0x0000000000400000-0x0000000000C3B000-memory.dmp

Filesize
8.2MB

Download
memory/3288-715-0x0000000000400000-0x0000000000C3B000-memory.dmp

Filesize
8.2MB

Download
memory/3288-383-0x0000000000400000-0x0000000000C3B000-memory.dmp

Filesize
8.2MB

Download
memory/3288-392-0x0000000000400000-0x0000000000C3B000-memory.dmp

Filesize
8.2MB

Download
memory/3288-538-0x0000000000400000-0x0000000000C3B000-memory.dmp

Filesize
8.2MB

Download
memory/3572-633-0x0000000006C60000-0x0000000006C7A000-memory.dmp

Filesize
104KB

Download
memory/3572-632-0x0000000007E70000-0x00000000084EA000-memory.dmp

Filesize
6.5MB

Download
memory/3572-437-0x0000000005220000-0x0000000005256000-memory.dmp

Filesize
216KB

Download
memory/3572-479-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/3572-466-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3572-454-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/3572-459-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3572-442-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/4684-390-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5780-572-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6084-622-0x0000000000C40000-0x00000000012E1000-memory.dmp

Filesize
6.6MB

Download
memory/6132-712-0x0000000006DC0000-0x0000000006E0C000-memory.dmp

Filesize
304KB

Download