Malware Analysis Report

2024-08-05 22:39

Sample ID 210503-sm43bn67nn
Target Install.exe
SHA256 97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
Tags
discovery evasion persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

Threat Level: Likely malicious

The file Install.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence

Checks for common network interception software

Executes dropped EXE

Downloads MZ/PE file

Drops file in Drivers directory

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Program crash

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies system certificate store

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Install Root Certificate
T1130
Credential Access
TA0006
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2021-05-03 06:42

Signatures

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210408

Max time kernel

1801s

Max time network

1033s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Dosoculohe.exe\"" C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-50KQP.tmp C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-C5QRL.tmp C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Common Files\Dosoculohe.exe.config C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
File created C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\Common Files\Dosoculohe.exe C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5ebd43d0f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000557a7ae0c5c33456f362d44c5e107aaead652b92ca51a0016ac95686ccaee3d6461b6c013a8136c5ac4bc4aaa3f7ac3b22cfc20ad4b5bdff24be46faa770be3d12f53b5f3293b8678634b43e28dcb5005441675969febad28a03277fd03f1a134fa86a9ed91ad4a9aebe2bb5f6dda427e15c0d76204c5831633ab0089a3bb631f5d3a010e4367402178aff917e1cd45649c1a530e8be0b616202d9afc584ad93dc183fea62089b4e4436355b30b80ff4820e216cf576cd7a80faf2e2ee3a00c6f216220959ae717f50633a10e8d0843458e508ef3e93e7fe76c490a9837dea179c6d324bfe497a95cdb11bb95386b3fcc0e4f9c04035c9b803ffa7f7ba6d01a695bd7b7404fa50edb7c07e3feaf8439099ac1117327c88f6844a4d0db52a393453a6bfa625df53dfb8308f6f4548b4143cde1fd9a387f10a32479eeba9d424d55ac85267a9195ea574a25b38cf94fbe0da187aa8cc78c92089949cd7a18ba8626bc3793493c87c9d62b4b5f04dfe879a44fc0a81056e4963d1d380eaa86fafc64637c5ad510d03d33407d8b4c3a4e72d8b286cec2689416f22d20ad78e99dc6232a5a86c5f62 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "326813157" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 49b2e8d6f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "326845148" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f07676e3f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\NumberOf = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8936fccff83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E7BDC3B0-B86C-449C-950B-E7B34F89C31F} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\NumberOfSub = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "143" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp
PID 3920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp
PID 3920 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp
PID 2592 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe
PID 2592 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe
PID 2584 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe
PID 2584 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe
PID 2584 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe
PID 3144 wrote to memory of 4012 N/A C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp
PID 3144 wrote to memory of 4012 N/A C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp
PID 3144 wrote to memory of 4012 N/A C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp
PID 2584 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe
PID 2584 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe
PID 2584 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe
PID 2584 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe
PID 4012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4368 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp" /SL5="$5006A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe

"C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp" /SL5="$60068,281924,62464,C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe

"C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe"

C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe

"C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 104.21.61.108:443 nextgencounter.com tcp
N/A 104.21.61.108:443 nextgencounter.com tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.242:80 yandex.ocsp-responder.com tcp
N/A 52.114.74.44:443 tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/3920-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2592-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-7FB2T.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/2592-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2584-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-6TGIU.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/2584-123-0x00000000029E0000-0x00000000029E2000-memory.dmp

memory/3144-124-0x0000000000000000-mapping.dmp

C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/3144-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\VideoLAN\MMFHZRBDDW\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/4012-128-0x0000000000000000-mapping.dmp

memory/4012-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/396-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\3d-cde01-7fe-32c91-34ad3963c0e6e\Pawihylajae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3628-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Vaegaejumulae.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\is-D4MTS.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/396-141-0x0000000003150000-0x0000000003152000-memory.dmp

memory/3628-142-0x0000000002B60000-0x0000000002B62000-memory.dmp

memory/2808-143-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/2808-146-0x0000000002F50000-0x0000000002F52000-memory.dmp

memory/3628-147-0x0000000002B62000-0x0000000002B64000-memory.dmp

memory/2808-149-0x0000000002F52000-0x0000000002F54000-memory.dmp

memory/2808-148-0x0000000002F54000-0x0000000002F55000-memory.dmp

memory/2808-150-0x0000000002F55000-0x0000000002F57000-memory.dmp

memory/3628-151-0x0000000002B65000-0x0000000002B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8d-37b23-108-3ca8d-1db9e82749f72\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 63b177e7208370392a8ad2ef67ab1a3f
SHA1 7c8edc2a3f3894f9ec5ca6ff171041f1db26aff0
SHA256 7afeed2a9ff326664844077b2cd55cd6c30e3f42c1d475b65d57e7a96d46fcdb
SHA512 c17fdf8418f54adb09d7e6b8cc60c0258c748acbb122d2dd537bde9ffe11c726c905e313a6f9439a82edb922d22fa5ac7fc26c904a362da4cde532c85c046b54

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 ca3f6b045976cdad39bfbf94bd662767
SHA1 48e947613af83f20892cc54957315ca0d87145aa
SHA256 37651afb0957a19d6a9774880eeb848433744c5bba54d83a16d4b8382e8d3036
SHA512 8cb3d8433c0da11fda9aaef07678b9eb7352571ae5c68b6a4e059a4991ae01fb7cba418e86c70ea9b97cd0715bcfaedb39ef0022f0f4431c4e278a55bb7dc500

Analysis: behavioral4

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210408

Max time kernel

1801s

Max time network

1732s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\Sunaeshylaery.exe\"" C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Sunaeshylaery.exe.config C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-URMSB.tmp C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-OLU74.tmp C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows NT\Sunaeshylaery.exe C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
File created C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
File created C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "326193698" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a2e44bd0f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\NumberOf = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "109" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "28" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "88" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "141" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{547A62E5-F033-42ED-92D7-44EDBBA4E33B} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "47" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "928" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "p66fxhf" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp
PID 1032 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp
PID 4080 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe
PID 4080 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe
PID 200 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe
PID 200 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe
PID 200 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe
PID 1272 wrote to memory of 2100 N/A C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp
PID 1272 wrote to memory of 2100 N/A C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp
PID 1272 wrote to memory of 2100 N/A C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp
PID 200 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe
PID 200 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe
PID 200 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe
PID 200 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe
PID 2100 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2100 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4456 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4384 wrote to memory of 4448 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp" /SL5="$70050,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe

"C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp" /SL5="$40056,281924,62464,C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe

"C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe"

C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe

"C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 172.67.172.137:443 click.hooligapps.com tcp
N/A 172.67.172.137:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.245:443 main.exdynsrv.com tcp
N/A 95.211.229.245:443 main.exdynsrv.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/1032-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4080-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-EC0KK.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4080-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/200-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-TSA8L.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/200-123-0x0000000002390000-0x0000000002392000-memory.dmp

memory/1272-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Mozilla Firefox\WTCPRUQTTA\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1272-124-0x0000000000000000-mapping.dmp

memory/2100-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/656-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\18-6c640-8c3-20885-c572c1af72b49\Topishekiso.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/2100-135-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/656-136-0x0000000000CB0000-0x0000000000CB2000-memory.dmp

memory/3968-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Vugohyqyshi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\is-KT8FQ.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/2980-142-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/3968-145-0x00000000026E0000-0x00000000026E2000-memory.dmp

memory/2980-146-0x00000000008E0000-0x00000000008E2000-memory.dmp

memory/3968-147-0x00000000026E2000-0x00000000026E4000-memory.dmp

memory/2980-148-0x00000000008E2000-0x00000000008E4000-memory.dmp

memory/2980-149-0x00000000008E4000-0x00000000008E5000-memory.dmp

memory/2980-150-0x00000000008E5000-0x00000000008E7000-memory.dmp

memory/3968-151-0x00000000026E5000-0x00000000026E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6-a2aec-526-6a59c-d58c41554421f\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 294c09f84a22dbfc0623f61f1c14aec4
SHA1 f9aa92f7ae02a0010a3c6611d9e959550fcfff0c
SHA256 2c3875807766117bf542531c13ae552ecdb9e3105f401734c614e9bc943f645a
SHA512 aae84fdc327b419403ca68debc22536c80e3ba00c885acf75f25ef66668fff887d25a72282539a2641b685e9ee49e860e4a29ff8b32915fd9b52f7dd311c55f2

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 54fad0a162379fcf211d11968bff74d8
SHA1 1e6cc2ce850202dad771f8e6bb8913de9dabdd1c
SHA256 216f969cd3d39136685d8ac51d7c75f08a96bd05659e908a9d5b9da3685bc083
SHA512 c8e26eee45a3267de6f336697e621a87940f4051adcd4cb4ba77b02250f14c5e92950a83f6f0905b4b9bd6c212f25ddba662c5f3b45840f5a2c959d1af647610

Analysis: behavioral5

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win7v20210410

Max time kernel

1800s

Max time network

1578s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp N/A
N/A N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tiwudolaese.exe\"" C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-OLFR6.tmp C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-8TOBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Photo Viewer\Tiwudolaese.exe C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A
File created C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Photo Viewer\Tiwudolaese.exe.config C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000060796c417d36d47f9368bd4453f5871326970c1e4852b5fd2220382fe2b3a16e000000000e80000000020000200000005035c8f144df6e9e5f26e67bd5f5c5746b96345c5c42c8029955fba1023e055d90000000a4ef74108a6b3c0228c749ec74007c4a866f15c759b997b2e479534f0c57daf80ad31e1bb5edb4d86ea6ce443956634e02318f62f0ab0ffea8917fdd1073c42d0c5d372b7058edccb254ace64980a02c10e1b3800b126459280ea635054a1389a90c6b31193c962a8532af43d33fdf17d2341a7fad87b3465872617554d1de22d7e3884c9fbbc0fd67088ebe229f266840000000a267cc06923e954054311f0c77d84c0e5000c8d41582a9777b95d42cd4fee579a1e9294aa353e1320a34ad7b840b346df6ad2578862b9caf824fcb5986accdd3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807f731ee73fd701 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000bc6d6aca3acf2f4099dfc9489d0aa9d1b832d00148ab81cf41227b82ebcc3ba7000000000e800000000200002000000000227d6d2672e486eae4efc5076e791df0d596d7b6214175a6f03f621399857d200000001fd4882f232b84be1ee0f611b425f00c489ae157b857be82fe4769b6fe16b1c0400000001f9dfa6a7f5a166c60be71144affeecbcacda89505ac4651be9e38000b3352b121b439caca965863a8aaa040a93cd4600ba49f6a0208039dba8a66d06475f9db C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326788935" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{477BB241-ABDA-11EB-A1DA-5A6828A642A0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1200 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp
PID 1188 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe
PID 1188 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe
PID 1188 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe
PID 1188 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1536 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1964 wrote to memory of 1472 N/A C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp
PID 1536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe
PID 1536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe
PID 1536 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe
PID 1472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 1472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 1472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 1472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 1536 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe
PID 1536 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe
PID 1536 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe
PID 1728 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1224 wrote to memory of 952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 952 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2156 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2156 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2156 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2156 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2260 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2260 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2260 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2156 wrote to memory of 2260 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1728 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1728 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1224 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1224 wrote to memory of 2960 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp" /SL5="$400CE,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe

"C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp" /SL5="$6012E,281924,62464,C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe

"C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe

"C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:340994 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1464

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:1782801 /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 ads.hourscareer.com udp
N/A 188.225.75.54:80 ads.hourscareer.com tcp
N/A 188.225.75.54:80 ads.hourscareer.com tcp
N/A 188.225.75.54:443 ads.hourscareer.com tcp
N/A 8.8.8.8:53 allinnew.xyz udp
N/A 188.127.249.141:80 allinnew.xyz tcp
N/A 188.127.249.141:80 allinnew.xyz tcp
N/A 8.8.8.8:53 myallexit.xyz udp
N/A 188.225.75.54:443 myallexit.xyz tcp
N/A 188.225.75.54:443 myallexit.xyz tcp
N/A 45.138.26.106:80 45.138.26.106 tcp
N/A 45.138.26.106:80 tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 45.138.26.106:80 45.138.26.106 tcp
N/A 45.138.26.106:80 tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 ocsp.verisign.com udp
N/A 23.51.123.27:80 ocsp.verisign.com tcp
N/A 10.7.0.28:5355 udp
N/A 10.7.0.24:5355 udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 8.8.8.8:53 ocsp.verisign.com udp
N/A 23.51.123.27:80 ocsp.verisign.com tcp
N/A 10.7.0.24:5355 udp
N/A 10.7.0.11:5355 udp
N/A 10.7.0.33:5355 udp
N/A 10.7.0.23:5355 udp
N/A 10.7.0.40:5355 udp
N/A 10.7.0.15:5355 udp
N/A 10.7.0.38:5355 udp

Files

memory/1200-60-0x00000000768B1000-0x00000000768B3000-memory.dmp

memory/1200-61-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/1188-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-JAFN2.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1188-70-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/1536-72-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-7RRC8.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/1536-75-0x00000000020F0000-0x00000000020F2000-memory.dmp

C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1964-79-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Uninstall Information\TQDTXYRNTQ\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1964-76-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1472-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

\Users\Admin\AppData\Local\Temp\is-5FODA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-5FODA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1472-88-0x0000000074A41000-0x0000000074A43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S43QT.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1728-91-0x0000000000000000-mapping.dmp

\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\2e-41515-8e9-991b4-0bdf7c6d4f4c7\Lonagulixi.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/1992-98-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/1728-102-0x0000000002090000-0x0000000002092000-memory.dmp

memory/1472-101-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1992-103-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/520-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kazhaezhozhyzhu.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d114afae6915baef73adf54fe2b8c41
SHA1 c7a385da799926897e989da938d3542e3e309d3c
SHA256 6ede48ca1c4c51295682e0d294b81d2ce09387e635d3a2656cae185efb5631cd
SHA512 9b4ba60d0652a87b846a2c71f0d43b19f18796547339950555f921e406996612a96cc0e5e6951c108419ffd2c93066325d3496fd0cc4e1e2d1160388cba3f5f5

memory/520-111-0x0000000001F00000-0x0000000001F02000-memory.dmp

memory/1224-112-0x0000000000000000-mapping.dmp

memory/1224-113-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

memory/1224-114-0x00000000020C0000-0x00000000020D0000-memory.dmp

memory/952-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c02ec1bdc5ecc2331d1a232591bbb02
SHA1 6f24b3e43a1e2f58a4564cd6979821b9900c1982
SHA256 746b67704532e7ea4ed53b478b395da0042323308aeeb70a9f7d676cc241af1f
SHA512 5600c68d73252dd2746cc085a9f08e2298789a8d90f7fa41952ca06125e15cb58eab5883e6ccd735bc44fe0a4782a5e36c128a7555b167c945942e3eb88637ad

memory/520-109-0x000007FEF21A0000-0x000007FEF3236000-memory.dmp

memory/1992-104-0x000007FEF21A0000-0x000007FEF3236000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b135ee89cff7fd34d91f4f1c64fa9c4
SHA1 d07548e632ca3e23bd39c4d7816438acf81fd66d
SHA256 2b58846af0f6d66e391e295baa6010fa744cc71faf9b1e04a043e0ed336267f7
SHA512 697b5ba7b6fc6009d526c4836f03f1334fab8e88b571d436a7b76bfbf6fd16ddff628cb4bd86d946b54a2c2d78f2344d054323a403b1d965b71f0b4a6d9b2c8d

memory/520-118-0x0000000001F06000-0x0000000001F25000-memory.dmp

memory/1992-119-0x00000000009B6000-0x00000000009D5000-memory.dmp

memory/1992-120-0x00000000009D5000-0x00000000009D6000-memory.dmp

memory/1992-121-0x000000001B050000-0x000000001B069000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7-f9662-f13-6acb1-5d84adf7f2d45\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2156-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2XZVQTUG\3P1T8IQA.htm

MD5 d4448318cf8ed41e0f4dd27abdcffca4
SHA1 f1accc823afb9b1e3577dd79a41a596a8662c519
SHA256 20d76252395d96b1a44ef2634039a28b13ecf5c61b7580f4306a424d7514f520
SHA512 e3cd1f8750c0ce21eba55bde915f315bf4422a112795a886eed2f28e13f57902b71a51f53bc6bc5effc9582727bafb27a239f2460f0a1a340fbbd4d702b5a008

memory/2260-125-0x0000000000000000-mapping.dmp

memory/2260-126-0x00000000002C0000-0x0000000000384000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 297c2d4e62458a15cc51420c3a70ca0c
SHA1 3bed31370d651a39f452fb49affb7dfe6cf5f6ec
SHA256 31ae57ab70f06f936638333cbb480a0cb61ac49518ff634b5b2ab5f41b66f751
SHA512 047e3a8d8ce2cc8437669a090cdcf7e66c00496c75677d1affe8a360e6ac1259bb76c7cbfdde7d44167be0fb092eb11a64dde1115fe9269db9b8b4e11ed0e13c

memory/2916-128-0x0000000000000000-mapping.dmp

memory/2960-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5Y6DNLCA.txt

MD5 8995d0904dfd4e2757e4ca2d855fc9c7
SHA1 0931628b37858ad66cf339f7ae15106c0d3f5f0a
SHA256 5e62f3c439f32f38fd7158a9ee2d680f2a74a9098489089d92846e8150cfb17b
SHA512 87637b494058375abc623b530421ee4fde36d576fcbd42da9e402a0026af19f29630d8d49948c49bd1eaa456c80e60b586daadadd74068001eb976e639fe8eb9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7VG1LT7F.txt

MD5 b7121c02e933546a6c0af84a5c11218f
SHA1 38da3d5a49ee3a80b3d06fc971aa4b8b22b4e43a
SHA256 574c6b3f1977ec44f8857edab051ec79e927936b85abf76a24560d7a6fd3d324
SHA512 628b095e90e1f0c21a00a4fafedba08cc8d27c8a884d4ba611460f43a9f329400bfc42fbca1199797b5a3844125586c54e3a247b768f22e83d453b185b2774f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 05fbeea23cd6ba515cfe019a2cbd3b0d
SHA1 bd09108809a79942e226bba52aac8bef0fbc6551
SHA256 bd4a36fffa835cc998babf5b5932d1667aee85cc82aedaf798eb44b2d596e8fe
SHA512 ff3240b250a8db79b63c962ff959b6b02ef81bbcef2d6bdda6f69e426272e83c5c9109b4b0e85f05b605468610ca1adc57285900f1b230d8a9b47f719109bb41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 a14f0b1be7cdf0b0e2dd1d467ad9d5ac
SHA1 7d4a7a5a04d552b8042d797c660252ce844c6a82
SHA256 4e60a02f537253b748ded19aeb48de550d8376d4ca30a52fc8d71f5c3b7cfd8f
SHA512 2f010537534dec5912095d21c0c5db48338429e63af711ef08f40e61a38a774e5005071e9d75339d0f2ced4a2f1caa198f87618285ee882ea586645c73dc011d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69587803db2556600f91303afbeccf80
SHA1 2ceb084e535d86f7b32d24a62f290064f5a2fd66
SHA256 42b5d11d4a4773cbf78dada85ace3ff9097de23c6b65fc8c385ddf1ee65d8f48
SHA512 4bd1b72fb99ccbc063b67dd1695f8d30d7120f0b38a0d43773c6c8012a65287398517a014774c7e703dbcc234777711d76363d326a040e1b9256bbb018368c19

Analysis: behavioral10

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210410

Max time kernel

1801s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\SHabaegugewe.exe\"" C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-D3KER.tmp C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows NT\SHabaegugewe.exe.config C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A
File created C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A
File created C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-KMEMR.tmp C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows NT\SHabaegugewe.exe C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "326185909" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "253" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "285" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "326819340" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "170" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "326792326" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000002fdd36cf3783cfbca56c3472601be9dda7ccd0a3d884f8f034f814bf6aca743d2cd0d5ab8849e278ba39c60a6d56b968783c2de0a6d53d252a254af341e3d08e48a416ca206dca4ab0ee78e0b6d5d08bdedc40f0db93aa55340b65daf6d111a1e5f94aad8b0d3207182d455cb8ba965f9b4e2d93f2de5d2bed491dc6fcb43b96cf6f8c9d564ba5c4c194ae918024147d43311cd8fad680f0bc81887323ad6e64f6a6ac4090455f0f52c501f27e3358b1d82419ff479c98ea8e529501c8da19e9283f7d464b1d52e7a65ec7c176073503d2c9de6d4c4ed880885c6175e55c705f76d84b21acf1cc91bb0067309dbf67067abfd8af120db6358d3fbbd11c5470166f127dd376e35839614c3f31d47df98193a5cf8920f986705a9bd6bf13e09c80b98d4bc697116560aee0e8060b608d61e61d7c1d5132c2143c109ac1cf21b68f80e9f0b6bb9d8f1b425ed77e5188d5ff50c684197ed8fbe9373e5efd87379b5fc1c66aaf41a6782cd464d1c1831497b2be3f97ff570ba8d45fc5428e4e43ac357cc59c12e34ba2d66294eeb2bd26d7b7812a2c7334eb75e15203a107ee2dcc8f41f537922dca C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2deb6c1de73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f002681de73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "326845567" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{78E9238C-EAD7-41D4-98A1-6A94F7621EF0}" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = a0eb4a6f1940d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "931" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp
PID 3952 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp
PID 3952 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp
PID 1828 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe
PID 1828 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe
PID 3728 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe
PID 3728 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe
PID 3728 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe
PID 1468 wrote to memory of 2820 N/A C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp
PID 1468 wrote to memory of 2820 N/A C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp
PID 1468 wrote to memory of 2820 N/A C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp
PID 2820 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2820 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 3728 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe
PID 3728 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe
PID 3728 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe
PID 3728 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 4300 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4228 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp" /SL5="$20114,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe

"C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp" /SL5="$30054,281924,62464,C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe

"C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe

"C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.com udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 93.158.134.119:443 mc.yandex.ru tcp
N/A 93.158.134.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 51.140.157.153:443 tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 trk.lemon-ade.site udp
N/A 54.85.113.62:443 trk.lemon-ade.site tcp
N/A 54.85.113.62:443 trk.lemon-ade.site tcp
N/A 54.85.113.62:443 trk.lemon-ade.site tcp
N/A 54.85.113.62:443 trk.lemon-ade.site tcp
N/A 8.8.8.8:53 kodim.rdtk.io udp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 8.8.8.8:53 utopia-privacy.com udp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 8.8.8.8:53 www.googletagmanager.com udp
N/A 142.250.179.200:443 www.googletagmanager.com tcp
N/A 142.250.179.200:443 www.googletagmanager.com tcp
N/A 8.8.8.8:53 kit.fontawesome.com udp
N/A 104.18.23.52:443 kit.fontawesome.com tcp
N/A 104.18.23.52:443 kit.fontawesome.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 www.google-analytics.com udp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 8.8.8.8:53 stats.g.doubleclick.net udp
N/A 108.177.119.155:443 stats.g.doubleclick.net tcp
N/A 108.177.119.155:443 stats.g.doubleclick.net tcp
N/A 8.8.8.8:53 ka-f.fontawesome.com udp
N/A 172.64.100.17:443 ka-f.fontawesome.com tcp
N/A 172.64.100.17:443 ka-f.fontawesome.com tcp
N/A 172.64.100.17:443 ka-f.fontawesome.com tcp
N/A 8.8.8.8:53 www.google.nl udp
N/A 172.217.168.227:443 www.google.nl tcp
N/A 172.217.168.227:443 www.google.nl tcp

Files

memory/3952-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1828-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-ER66B.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1828-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3728-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-5PJ45.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/3728-123-0x00000000027E0000-0x00000000027E2000-memory.dmp

memory/1468-124-0x0000000000000000-mapping.dmp

memory/1468-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Windows Media Player\UPSCJYDSDO\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/2820-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

C:\Users\Admin\AppData\Local\Temp\is-03GJM.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/3644-132-0x0000000000000000-mapping.dmp

memory/1240-131-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3644-141-0x00000000026D0000-0x00000000026D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/1240-138-0x0000000000840000-0x0000000000842000-memory.dmp

memory/2820-134-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e-1ea97-2fa-68da8-f98917111bfc5\Bopalaekife.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/3888-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kivimujaehi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/3888-146-0x0000000000A90000-0x0000000000A92000-memory.dmp

memory/1240-147-0x0000000000842000-0x0000000000844000-memory.dmp

memory/1240-148-0x0000000000845000-0x0000000000847000-memory.dmp

memory/3888-149-0x0000000000A92000-0x0000000000A94000-memory.dmp

memory/1240-150-0x0000000000844000-0x0000000000845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4c-1a1fc-b13-24a89-f05ae9dacc73c\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2064-152-0x0000023476220000-0x0000023476230000-memory.dmp

memory/3888-153-0x0000000000A95000-0x0000000000A96000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 f320682bacc7ebb980eab67bc4b914ac
SHA1 bae24dd42187d31e0aa34b348e689fc728c90c05
SHA256 a148a45bce83ba72dd5525c6fe73a7da1caaa8408502f7f5c32be5c491226ca3
SHA512 3d5bdd4370812f95697014c779f66137521800ab86b1c8709748dcef6fdb7c4f406fedf06efbfb3c78b4aa0b39a2daf3c5f4a7b091d296e6aec0dd38eb61b869

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 dce3f95a55e6855130f8d6b3c9d4e59b
SHA1 8485a8dde47dcf17d6d3ff8c9bcade5101fabeea
SHA256 3266a1145aeac0d6b21efff49d2a9e4f531bb7325445fdc1ba474b140659e09e
SHA512 7abfb0dc3d2be15ecb2caa73234e5b2065507a4a1051bb5af1bb8a4ab4dfa76bcc4b90ec1108a9978d34dd413e733bc450c0719d894682fa29f5c1d0020428ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TL4DRP4R\tag[1].js

MD5 a393d35e95563e8e34a180a400eaae9a
SHA1 377670e2aa83d90983a702a6f781fd09c85d3077
SHA256 856caedf6e1c670b2a4d48552b582e3d928e0dd902e77c302984d9d9461df4aa
SHA512 15d01e6a6045b6f43af2de6b57407ea0eefa9aa225fd3dff638fce65970101ce23ff238f1a0da11b018e3343b40da654ce0e78e2ae8e3ef0bd3879bba6cbcdea

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E887E036775F4159E2816B7B9E527E5F_81A9EAEF491877F5AE96F9A03F4042E4

MD5 d21d2085f1b0b8613d6f04802da04deb
SHA1 96af882f49566701127adffd26be687777067e91
SHA256 3a50aec702a69af40697f4c9b835976977668d5a537bcca004c093384b221373
SHA512 3a1c1720e8a4376e2700d03336a428b0b83bb3c48ce9e25abc99e8ae97e3a7f7034be4f3172d399c26bfd2ab4d66c14bd0239a72fb4f5ec7d9a127e2b6bed901

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E887E036775F4159E2816B7B9E527E5F_81A9EAEF491877F5AE96F9A03F4042E4

MD5 84f1413fb62ceb443c175405f683fe7a
SHA1 5999f190129a00493cb9594fc95a6abc78beaede
SHA256 13c6bee7a48690f8a433bb757d5769acb0cb31863cf55fab8d5b301e571829ee
SHA512 96948b68b9c77617cc27711c500eb1547efd6a04e5007436e854ac0426af9bd9bc7f326d1f98be84d3c9ee151e74da678cbec78d62a7c8eb3b7fb3fa600d7008

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_77B682CF3AAC7B00161DFFF7DEA4CC8C

MD5 9a65449cf5931cd78249b4f7c39184df
SHA1 e705b90d81e17625e1654ac8e2cab1ebcb404324
SHA256 3191f2ffb35db9d95df7bfc94cee0d4c22a36017ee8b86d2b0b3f710c39e3dd1
SHA512 6927eb52ac215c9ec9ff498e43babf96c083d75c7406971794e84d90ad74a5b3eaeb5120f35f90c1fbe65b47ff59ee39a742b9ebfbe31cbfcd29678b0984ab65

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_77B682CF3AAC7B00161DFFF7DEA4CC8C

MD5 d60e27926124a1a9681e7fbdb7fbc249
SHA1 c81ac09965314e503208feae97578e0824bfbbd3
SHA256 115e1a0cf78ea5f1c774dfcaaa548e45eba01b2c9cd91918a49e70ec6e4f4b7b
SHA512 ea53088c66a446812604ea234206ad78f0cafe66169fee4b675e70f083d2802bdb78df4b60e36283e69120c4cd472a1990928733ebf77b8522019668f671e8aa

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WXP9XBEU\advert[1].gif

MD5 df3e567d6f16d040326c7a0ea29a4f41
SHA1 ea7df583983133b62712b5e73bffbcd45cc53736
SHA256 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87
SHA512 b2ca25a3311dc42942e046eb1a27038b71d689925b7d6b3ebb4d7cd2c7b9a0c7de3d10175790ac060dc3f8acf3c1708c336626be06879097f4d0ecaa7f567041

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 e8098f8dbec4ebd4f83f0d51d09f30c6
SHA1 f32f8ee1c55cf38c2d3fe9fb8d021688a264481b
SHA256 5c2f8ca18885519eab93080a857d81141c3229a9d93c05bc01aeacec9be23a54
SHA512 a81dc62555ee3b4e371c4a61deff6182fb6314cb33657296d7a5a396806030ad860d8b7a106b03ef14fdb3d8fd81d9e98ffdd1af123825c2f2e5aed437c6d1d8

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 7fa14cc0e730b8d2e3435a64812e7b62
SHA1 777550d39191f57bff5e1a72c09ff63c4a0a4a0b
SHA256 45562855f67397688eb15ed59a4559efab0863bab6e5ed3b4931cd12ed5f58f9
SHA512 f4907ace798d9b83c74e7a03e09f24838c7f1307c6c07ec87eba20b97919d06b9f0ca8299dd9dd204a2593cb83ac95d21e70778883353ae8f7acc7c7d4b29465

Analysis: behavioral8

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210410

Max time kernel

1800s

Max time network

1756s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Rymivawyce.exe\"" C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Media Player\Rymivawyce.exe C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A
File created C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-51C7E.tmp C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-HD5OI.tmp C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Media Player\Rymivawyce.exe.config C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "725" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "91" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{40CA91DB-7AC9-4377-ADFC-EC62665BB5F9} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fea91e25e73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = df9e0d10e73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4811cf1de73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "u67oewx" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "774" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "326827321" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp
PID 4048 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp
PID 4048 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp
PID 1156 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe
PID 1156 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe
PID 2460 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe
PID 2460 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe
PID 2460 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe
PID 3756 wrote to memory of 1264 N/A C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp
PID 3756 wrote to memory of 1264 N/A C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp
PID 3756 wrote to memory of 1264 N/A C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp
PID 1264 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 1264 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2460 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe
PID 2460 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe
PID 2460 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe
PID 2460 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 4544 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4480 wrote to memory of 1576 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp" /SL5="$20110,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe

"C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp" /SL5="$30070,281924,62464,C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe

"C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe

"C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.com udp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 trk.lemon-ade.site udp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 8.8.8.8:53 kodim.rdtk.io udp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 8.8.8.8:53 utopia-privacy.com udp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 8.8.8.8:53 www.googletagmanager.com udp
N/A 142.250.179.168:443 www.googletagmanager.com tcp
N/A 142.250.179.168:443 www.googletagmanager.com tcp
N/A 8.8.8.8:53 kit.fontawesome.com udp
N/A 104.18.23.52:443 kit.fontawesome.com tcp
N/A 104.18.23.52:443 kit.fontawesome.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.241:80 yandex.ocsp-responder.com tcp
N/A 8.8.8.8:53 www.google-analytics.com udp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 8.8.8.8:53 ka-f.fontawesome.com udp
N/A 172.64.100.17:443 ka-f.fontawesome.com tcp
N/A 172.64.100.17:443 ka-f.fontawesome.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 8.8.8.8:53 stats.g.doubleclick.net udp
N/A 108.177.119.156:443 stats.g.doubleclick.net tcp
N/A 108.177.119.156:443 stats.g.doubleclick.net tcp
N/A 8.8.8.8:53 www.google.nl udp
N/A 172.217.168.227:443 www.google.nl tcp
N/A 172.217.168.227:443 www.google.nl tcp
N/A 51.140.157.153:443 tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 95.101.78.106:80 tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.12:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/4048-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1156-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-HP8F4.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1156-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2460-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-AB55B.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/2460-123-0x0000000002800000-0x0000000002802000-memory.dmp

memory/3756-124-0x0000000000000000-mapping.dmp

C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/3756-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Google\MHOPDNFUMA\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1264-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1264-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IVEOE.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1252-134-0x0000000000000000-mapping.dmp

memory/1052-133-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\7b-0ce3c-21d-14ca1-7bc0760e71fc0\Devugaraesae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/2408-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/1252-144-0x0000000001470000-0x0000000001472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kugosyzhype.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/1052-145-0x0000000000D50000-0x0000000000D52000-memory.dmp

memory/2408-146-0x0000000000C50000-0x0000000000C52000-memory.dmp

memory/2408-147-0x0000000000C52000-0x0000000000C54000-memory.dmp

memory/1052-148-0x0000000000D52000-0x0000000000D54000-memory.dmp

memory/1052-149-0x0000000000D54000-0x0000000000D55000-memory.dmp

memory/1052-150-0x0000000000D55000-0x0000000000D57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99-fc9fb-026-b2983-e7e5bea262771\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2408-151-0x0000000000C55000-0x0000000000C56000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 3c786fbc83e059ec3ef635fc7d6fef1c
SHA1 a9982d200934374e0fd8cfe8b241b85af739b543
SHA256 20115c366ca2e892e725122b66f2baa652de61c4ace1ff89c1ce8a5e16a1407d
SHA512 7764c1a6c387cc7656894754c200fc19d044c7676523ffb5d9545b056d7dfe9e7bdbfa9e0d13ccecdddf438858f25ffcbc88b66de6749d713a96745368824154

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 52e9f6cb573795f391e00163ad9e67c7
SHA1 087fd6ab37578fe748ae1fdb92da5f1876a1d366
SHA256 f8156b018d1815b05e58e3976495727364b0bbff478d5c5d8b10d5c04585b0f1
SHA512 d3fc71a20f26db58c342327fed104753d91c9bad20e2884a4613fbd01efc85771695cd04797111201c56a0901d7fb38491fa4f7f2be38d6b00817f0e61e428b5

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 06:47

Platform

win10v20210408

Max time kernel

301s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Tyxusaefybi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraMediaBurner\is-156MS.tmp C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Internet Explorer\Tyxusaefybi.exe.config C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A
File created C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A
File created C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-9U8HH.tmp C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Internet Explorer\Tyxusaefybi.exe C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000012e733cb8cb1211d04fe91b06f1444b072dd1442605e1d5da14703d1e74703431a13deed774ded6c6aca50aaa0ab118f997fd471855b17f45b0e C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "795" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "76" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "795" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "709" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\utopia-privacy.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "v4n9iud" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "795" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 10f53b7ac154d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "76" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "91" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "29" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "76" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "709" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 472 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp
PID 472 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp
PID 472 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp
PID 1684 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe
PID 1684 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe
PID 848 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe
PID 1300 wrote to memory of 2100 N/A C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp
PID 1300 wrote to memory of 2100 N/A C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp
PID 1300 wrote to memory of 2100 N/A C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp
PID 848 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe
PID 848 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe
PID 848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe
PID 848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe
PID 2100 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2100 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4216 wrote to memory of 4288 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp" /SL5="$400F6,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe

"C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp" /SL5="$80056,281924,62464,C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe

"C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe"

C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe

"C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 trk.lemon-ade.site udp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 8.8.8.8:53 kodim.rdtk.io udp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 54.205.83.61:443 trk.lemon-ade.site tcp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 23.105.36.164:443 kodim.rdtk.io tcp
N/A 8.8.8.8:53 utopia-privacy.com udp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 8.8.8.8:53 www.googletagmanager.com udp
N/A 8.8.8.8:53 kit.fontawesome.com udp
N/A 142.250.179.168:443 www.googletagmanager.com tcp
N/A 142.250.179.168:443 www.googletagmanager.com tcp
N/A 104.18.22.52:443 kit.fontawesome.com tcp
N/A 104.18.22.52:443 kit.fontawesome.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 8.8.8.8:53 ka-f.fontawesome.com udp
N/A 172.64.101.17:443 ka-f.fontawesome.com tcp
N/A 172.64.101.17:443 ka-f.fontawesome.com tcp
N/A 172.64.101.17:443 ka-f.fontawesome.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 185.196.8.138:443 utopia-privacy.com tcp
N/A 8.8.8.8:53 www.google-analytics.com udp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 216.58.214.14:443 www.google-analytics.com tcp
N/A 8.8.8.8:53 stats.g.doubleclick.net udp
N/A 108.177.119.156:443 stats.g.doubleclick.net tcp
N/A 108.177.119.156:443 stats.g.doubleclick.net tcp
N/A 8.8.8.8:53 www.google.nl udp
N/A 172.217.168.227:443 www.google.nl tcp
N/A 172.217.168.227:443 www.google.nl tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp

Files

memory/472-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1684-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-SDS85.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/1684-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/848-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-BU5S6.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/848-123-0x0000000002E70000-0x0000000002E72000-memory.dmp

memory/1300-124-0x0000000000000000-mapping.dmp

C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Microsoft Office\ZGHUZMIUAU\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1300-126-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2100-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/2100-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1136-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\d6-e9345-00a-01b88-89687efe3ad6b\Maefelyxaju.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3840-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Mazhixuhuko.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\is-3R03H.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1136-141-0x0000000002400000-0x0000000002402000-memory.dmp

memory/3840-142-0x00000000007D0000-0x00000000007D2000-memory.dmp

memory/2232-143-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/2232-146-0x0000000001520000-0x0000000001522000-memory.dmp

memory/3840-147-0x00000000007D2000-0x00000000007D4000-memory.dmp

memory/2232-148-0x0000000001524000-0x0000000001525000-memory.dmp

memory/2232-149-0x0000000001522000-0x0000000001524000-memory.dmp

memory/2232-150-0x0000000001525000-0x0000000001527000-memory.dmp

memory/3840-151-0x00000000007D5000-0x00000000007D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ae-bb28d-26a-8a39b-3e0e7b56b0fac\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Analysis: behavioral3

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 06:52

Platform

win10v20210410

Max time kernel

602s

Max time network

380s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\ZHaenaqodady.exe\"" C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-2ID03.tmp C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-PERFV.tmp C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ZHaenaqodady.exe C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A
File created C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ZHaenaqodady.exe.config C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000079c9aa1c5966156483cb1db692e71b2b09b00b9f9d02ee4dee06e256f205251ae0e42e9922b408587b024564fbe3402f9adb7562901e4aa864d2c22b1f4467833d4992eaea26c2f705caed1f97601d51e548188f439a7a060c1a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\NumberOfSu = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "112" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 7053b86f1940d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000c260a6127c042d1c54c547aedf7e9b55225ea4c9509cad66d14d96be57f57e9acbcaccc967e6fb6886bf94617fd128f7db4fd421fab3e1cafd99b0d8c866 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bcdf7510e73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "91" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp
PID 2112 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp
PID 2112 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp
PID 2456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe
PID 2456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe
PID 2748 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe
PID 2748 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe
PID 2748 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe
PID 1564 wrote to memory of 3928 N/A C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp
PID 1564 wrote to memory of 3928 N/A C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp
PID 1564 wrote to memory of 3928 N/A C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp
PID 2748 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe
PID 2748 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe
PID 3928 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 3928 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2748 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe
PID 2748 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4360 wrote to memory of 4428 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp" /SL5="$30084,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe

"C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp" /SL5="$C004A,281924,62464,C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe

"C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe

"C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp

Files

memory/2112-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-3RL3L.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2456-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2748-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-SDHPR.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/2748-123-0x00000000014F0000-0x00000000014F2000-memory.dmp

memory/1564-124-0x0000000000000000-mapping.dmp

memory/1564-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Google\TLXURDQMXW\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/3928-128-0x0000000000000000-mapping.dmp

memory/3928-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L3VGV.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/3932-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\b5-9439d-a4f-5908e-76f175bd00618\Limozhybibae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/2780-137-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/3008-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\ZHesytuxaedy.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3932-144-0x0000000002570000-0x0000000002572000-memory.dmp

memory/2780-145-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

memory/3008-146-0x0000000000E00000-0x0000000000E02000-memory.dmp

memory/3008-147-0x0000000000E02000-0x0000000000E04000-memory.dmp

memory/2780-148-0x0000000000AD2000-0x0000000000AD4000-memory.dmp

memory/2780-149-0x0000000000AD4000-0x0000000000AD5000-memory.dmp

memory/2780-150-0x0000000000AD5000-0x0000000000AD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\be-853e8-770-52e94-2d60904e5c5aa\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/3008-152-0x0000000000E05000-0x0000000000E06000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210410

Max time kernel

1800s

Max time network

1753s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Hynaepuvacu.exe\"" C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A
File created C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Mail\Hynaepuvacu.exe.config C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-63ACQ.tmp C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-CG82G.tmp C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Mail\Hynaepuvacu.exe C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1009" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "934" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "112" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000003aaec3c214fcd0bc9c3ee84037f394a91a61a76d68735650892806602f4570fc423bb6acff748713c2739a1f672b3777cdd027cca661805963e0 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = df2fcf35e93fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f2865c0ae73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "144" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp
PID 4452 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp
PID 4452 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp
PID 4940 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe
PID 4940 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe
PID 4068 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe
PID 4068 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe
PID 4068 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe
PID 4000 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp
PID 4000 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp
PID 4000 wrote to memory of 3976 N/A C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp
PID 3976 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 3976 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe
PID 4068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe
PID 4068 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe
PID 4068 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 4460 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4336 wrote to memory of 5104 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp" /SL5="$4007A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe

"C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp" /SL5="$30030,281924,62464,C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe" /VERYSILENT

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe

"C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe"

C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe

"C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 google.com udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 52.72.111.72:80 yourfreecounter.com tcp
N/A 52.72.111.72:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.241:80 yandex.ocsp-responder.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/4452-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4940-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-QUN1D.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4940-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4068-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-3INRL.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/4068-123-0x0000000001380000-0x0000000001382000-memory.dmp

memory/4000-124-0x0000000000000000-mapping.dmp

memory/4000-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Mozilla Firefox\BXYKTSCXNT\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/3976-128-0x0000000000000000-mapping.dmp

memory/3976-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FI97I.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/4172-133-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/1732-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\05-3480b-26e-03ca3-d859a27512c23\Tylyduvotae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/4264-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Bebazhuvigi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/4172-144-0x0000000002940000-0x0000000002942000-memory.dmp

memory/1732-145-0x0000000002AD0000-0x0000000002AD2000-memory.dmp

memory/4264-146-0x0000000002640000-0x0000000002642000-memory.dmp

memory/4264-148-0x0000000002642000-0x0000000002644000-memory.dmp

memory/4172-147-0x0000000002942000-0x0000000002944000-memory.dmp

memory/4172-150-0x0000000002945000-0x0000000002947000-memory.dmp

memory/4172-149-0x0000000002944000-0x0000000002945000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c3-3f263-942-50384-18036980df295\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/4264-152-0x0000000002645000-0x0000000002646000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 16e4d5ad53add7283086bb2628ca92b9
SHA1 5511145df8a5968bae9213902df1007cd8c2c6b3
SHA256 b4efa166fd0441cd9a392c72d8e584903fea343d8fe44e3a578c5221fa82f221
SHA512 02e4330b868f6744866e5e04f6a7bfede46891234f8947d4665a8301272f494bf9799246d6a9f19a98543cdb6c7b8780ff942100ef08d73d06cce409cf09b67e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 c04cd6eb8c9796e68a8f0a1e098845fc
SHA1 4a867a8e2b6b42eb0174bbd21ae69b3c00f97c4a
SHA256 01cb6e16ff35a36aedf14177857202cb0292a171baf1a84052d243a7829430a8
SHA512 d1ed35bda711427320b4e5a9a91c3e190a364a1c86408fd1c1eca47ac9a6265d911a65f88b742a96d0a82f97f29b57ba79c37d8f92e68d822f6638c6f7113bc2

Analysis: behavioral12

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210410

Max time kernel

1800s

Max time network

1755s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Nolokyzhushae.exe\"" C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-TKP9C.tmp C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-4FFKO.tmp C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Defender\Nolokyzhushae.exe C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A
File created C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 844e3e11e73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 807ab86f1940d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{1F971C76-EB6D-4855-9EF3-78FE1E48E2B0}" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "90" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "75" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = dbe9fc35e93fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp
PID 3768 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp
PID 3768 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp
PID 196 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe
PID 196 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe
PID 3872 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe
PID 3872 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe
PID 3872 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe
PID 3876 wrote to memory of 4060 N/A C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp
PID 3876 wrote to memory of 4060 N/A C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp
PID 3876 wrote to memory of 4060 N/A C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp
PID 3872 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe
PID 3872 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe
PID 4060 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4060 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 3872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe
PID 3872 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4524 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4460 wrote to memory of 4612 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp" /SL5="$2012E,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe

"C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp" /SL5="$B0060,281924,62464,C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe" /VERYSILENT

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe

"C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe"

C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe

"C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.com udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.245:443 main.exdynsrv.com tcp
N/A 95.211.229.245:443 main.exdynsrv.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.245:443 main.exoclick.com tcp
N/A 95.211.229.245:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 95.211.229.246:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 77.88.21.119:443 mc.yandex.ru tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 52.72.111.72:80 yourfreecounter.com tcp
N/A 52.72.111.72:80 yourfreecounter.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.245:80 yandex.ocsp-responder.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/3768-114-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SFS9R.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/196-115-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/196-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/3872-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-K5SVQ.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/3872-123-0x0000000000C00000-0x0000000000C02000-memory.dmp

memory/3876-124-0x0000000000000000-mapping.dmp

C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/3876-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Reference Assemblies\FNFRLKGEZE\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/4060-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/4060-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TM2J4.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1584-133-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Users\Admin\AppData\Local\Temp\ce-e5615-0bc-8aba9-bae97ab301f8f\Vividesafu.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/4092-134-0x0000000000000000-mapping.dmp

memory/2560-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/2560-145-0x00000000012A0000-0x00000000012A2000-memory.dmp

memory/1584-146-0x0000000002B90000-0x0000000002B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Wopopyxaego.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/4092-141-0x00000000028F0000-0x00000000028F2000-memory.dmp

memory/4092-147-0x00000000028F2000-0x00000000028F4000-memory.dmp

memory/2560-148-0x00000000012A2000-0x00000000012A4000-memory.dmp

memory/4092-149-0x00000000028F4000-0x00000000028F5000-memory.dmp

memory/4092-150-0x00000000028F5000-0x00000000028F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f8-a346c-f4b-16798-0334a0de191e5\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/2560-152-0x00000000012A5000-0x00000000012A6000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 d8517e0083eec56355cba6433818fa96
SHA1 9938c82a66db384839b61898a8b6bfd90d9fdd3c
SHA256 c0bd842679df8b8e2c047b93c0407b2a96a976083d37a48a89129ca9e822c923
SHA512 28aa0d0925fa066d2a8b0825fa071dda2611f91629c9c1d00e2071cb5ae2bf5d2190fee96a0f42e6f1a7657f0a3adb8b043957a66135f741972a326056923322

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 87444c6efcbe798cd8161599914cd9a7
SHA1 d9b2c5184ae84d0d2c47aed0f1a0acf0e06a05c6
SHA256 32371c489224ac8a86b99ca5ce0edeb05da3e3710dc35cd2fd9f85846f586361
SHA512 1badff9c0beed00aa771b9ba4993d8b6f823c7f3b9fbc2b8c270aa88c87404cb9965fcd9b26684f20a7f7283b112f1bc1a5bb593bc58dcea327e22f67f782e83

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 06:43

Platform

win10v20210410

Max time kernel

61s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Vushaeqaejipae.exe\"" C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-3F9R2.tmp C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-C1O0G.tmp C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Windows Portable Devices\Vushaeqaejipae.exe C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\Vushaeqaejipae.exe.config C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com\NumberOfSu = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000aea397fcb8ebe33c80ff4297fbff0905d64af8984c869309dd7fffa52b8fb26b376da4d823afdd6a725575afdb7fbb76afab443c76ff706d41439c0764a6 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "1013" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3348250ae73fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "29" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "91" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{55B501EF-5874-4092-8168-2767092B0E14} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp
PID 3992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp
PID 3992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp
PID 2784 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe
PID 2784 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe
PID 200 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe
PID 200 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe
PID 200 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe
PID 3448 wrote to memory of 2160 N/A C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp
PID 3448 wrote to memory of 2160 N/A C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp
PID 3448 wrote to memory of 2160 N/A C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2160 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe
PID 200 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe
PID 200 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe
PID 200 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 4400 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp" /SL5="$30084,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe

"C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp" /SL5="$50060,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe" /VERYSILENT

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe

"C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe"

C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe

"C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.com udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 172.67.172.137:443 click.hooligapps.com tcp
N/A 172.67.172.137:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 104.21.61.108:443 nextgencounter.com tcp
N/A 104.21.61.108:443 nextgencounter.com tcp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 95.211.229.247:443 main.exdynsrv.com tcp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.247:443 main.exoclick.com tcp
N/A 95.211.229.247:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.247:443 main.realsrv.com tcp
N/A 95.211.229.247:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 87.250.251.119:443 mc.yandex.ru tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.241:80 yandex.ocsp-responder.com tcp

Files

memory/3992-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2784-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-VGLQG.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2784-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-78QKG.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/200-120-0x0000000000000000-mapping.dmp

memory/200-123-0x0000000003030000-0x0000000003032000-memory.dmp

memory/3448-124-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/3448-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Windows Defender Advanced Threat Protection\IYOVDFSCKP\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/2160-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-GKNVP.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/2140-133-0x0000000000000000-mapping.dmp

memory/3260-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/2160-136-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/3260-141-0x0000000002290000-0x0000000002292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44-17a2a-21c-dcf8e-ebd4332e81792\Cyshaefawite.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/2140-140-0x0000000002AC0000-0x0000000002AC2000-memory.dmp

memory/3852-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Lypovaelava.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/3852-146-0x0000000003150000-0x0000000003152000-memory.dmp

memory/3260-147-0x0000000002292000-0x0000000002294000-memory.dmp

memory/3852-148-0x0000000003152000-0x0000000003154000-memory.dmp

memory/3260-149-0x0000000002294000-0x0000000002295000-memory.dmp

memory/3260-150-0x0000000002295000-0x0000000002297000-memory.dmp

memory/3852-151-0x0000000003155000-0x0000000003156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7f-2f422-96a-6dcb3-bc423c19e4dbf\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Analysis: behavioral7

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210408

Max time kernel

1801s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Vaqygomoce.exe\"" C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-HQKUM.tmp C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-TDVIR.tmp C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\Common Files\Vaqygomoce.exe C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\Common Files\Vaqygomoce.exe.config C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
File created C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000bc655ace8e5d51c92e82b95981f0c9bf44112e36026bf1cdbb29c8f7918911c105963c02b5ec55d386742a1f8838194767d8f88fdf36cd86b166b3b91cf213fe38fbe0e0dddc27122844f7f6109082fc8531912c65d52fe7f9f4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 201a99e3f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 0080e52e584ed701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "rjz64m8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "75" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "1004" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "90" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "326866488" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "90" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "928" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "143" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1d24df8b702cd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 644 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp
PID 644 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp
PID 644 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp
PID 3712 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe
PID 3712 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe
PID 412 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe
PID 412 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe
PID 412 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe
PID 3852 wrote to memory of 3048 N/A C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp
PID 3852 wrote to memory of 3048 N/A C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp
PID 3852 wrote to memory of 3048 N/A C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp
PID 412 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe
PID 412 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe
PID 412 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe
PID 412 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe
PID 3048 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 3048 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 4396 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4324 wrote to memory of 188 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp" /SL5="$6005A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe

"C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp" /SL5="$70030,281924,62464,C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe

"C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe"

C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe

"C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 52.72.111.72:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 95.211.229.246:443 main.exdynsrv.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/644-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3712-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-JABDT.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/3712-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/412-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-1QGPM.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/412-123-0x0000000002E10000-0x0000000002E12000-memory.dmp

C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

C:\Program Files\Common Files\QBAWGFTBUK\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/3852-126-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3852-124-0x0000000000000000-mapping.dmp

memory/3048-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/3048-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1296-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\50-3a698-3e1-c728e-f032d3246ce62\Gykagaegaexi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\is-3URJL.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/1296-137-0x0000000002B40000-0x0000000002B42000-memory.dmp

memory/3076-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Naeqihudeci.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

memory/3904-142-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/3904-146-0x00000000023A0000-0x00000000023A2000-memory.dmp

memory/3076-145-0x0000000002290000-0x0000000002292000-memory.dmp

memory/3076-147-0x0000000002292000-0x0000000002294000-memory.dmp

memory/3904-148-0x00000000023A2000-0x00000000023A4000-memory.dmp

memory/3904-149-0x00000000023A4000-0x00000000023A5000-memory.dmp

memory/3076-150-0x0000000002295000-0x0000000002296000-memory.dmp

memory/3904-151-0x00000000023A5000-0x00000000023A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e0-9f608-ef4-1f982-0ee957c4dc691\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 e2099c057935e884977ccc4007ef94bc
SHA1 7ba682684cd0a5021de5774636c71774ae4f0790
SHA256 e68ffa0f372f4282369c5ab3f8365bb8dd165fd97980e261a3084ccc4284ed5f
SHA512 b1cc32bdb8dad9a77d3898e656c598ba8adde581930033a81866b0bfb633dd17450f673c0f66433be073fdeecf99bdd8f5641891f47e8ef2b877ed3b8f270545

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 46ee1f2183e91de58bb949fd3af39374
SHA1 f4f99ba57ead48c554e41abc766f6d286a2ec90c
SHA256 42146321699b72632d289929cb5442469056f979c7d75be8d8d4dbecea461843
SHA512 f8f4fb35f34458e40f23af2873c31458d7419ae4eef171e222292ccb6c81aeb4b6fb8892feec6aab0dfe991da67bd1f85f1efa6888e81d8e52dba6ed6358e0d5

Analysis: behavioral9

Detonation Overview

Submitted

2021-05-03 06:42

Reported

2021-05-03 07:12

Platform

win10v20210408

Max time kernel

1802s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xijushehagi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UltraMediaBurner\is-UR1CI.tmp C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-2RCR7.tmp C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\WindowsPowerShell\Xijushehagi.exe C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Xijushehagi.exe.config C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
File created C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
File created C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "90" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{E937F7DE-6F21-47E3-A7D7-1546400B2473}" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "111" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 7065ade3f83fd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = d02e4b352b40d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "28" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d22cbe724ce049b2c471c4292fb9ab0632efe0b42029b06e61e765faa7688ad8dbb03b743774fb902a56b174266b38cfe91a98b1c5305fda1bc6 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "326816382" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "47" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d3791ad54b3dacf6dd8e479414c6f3f1839c243d2fa5e1d738e7eb571c0d79577ad77d4850c45a1ad519321a3dc5b34dc0be441fc2de7e15d25ad6a78152473957262a775878323fbb1d9513e52324d38273c25a0833d8443a73 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "otmaut3" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\theonlygames.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp
PID 908 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp
PID 908 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp
PID 3940 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe
PID 3940 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe
PID 216 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe
PID 216 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe
PID 216 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe
PID 2112 wrote to memory of 2200 N/A C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp
PID 2112 wrote to memory of 2200 N/A C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp
PID 2112 wrote to memory of 2200 N/A C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp
PID 216 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe
PID 216 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe
PID 216 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe
PID 216 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe
PID 2200 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2200 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4336 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4268 wrote to memory of 4384 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp" /SL5="$50052,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe

"C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe" /S /UID=burnerch1

C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe

"C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp" /SL5="$80030,281924,62464,C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe

"C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe"

C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe

"C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 18.213.141.125:443 venetrigni.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 click.hooligapps.com udp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 104.21.88.44:443 click.hooligapps.com tcp
N/A 8.8.8.8:53 theonlygames.com udp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 ln.gamesrevenue.com udp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 204.155.147.176:443 ln.gamesrevenue.com tcp
N/A 8.8.8.8:53 nextgencounter.com udp
N/A 8.8.8.8:53 my.rtmark.net udp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 172.67.209.21:443 nextgencounter.com tcp
N/A 8.8.8.8:53 main.exdynsrv.com udp
N/A 8.8.8.8:53 main.exoclick.com udp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 139.45.195.8:443 my.rtmark.net tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.246:443 main.exoclick.com tcp
N/A 95.211.229.247:443 main.exoclick.com tcp
N/A 95.211.229.247:443 main.exoclick.com tcp
N/A 8.8.8.8:53 main.realsrv.com udp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 95.211.229.245:443 main.realsrv.com tcp
N/A 8.8.8.8:53 mc.yandex.ru udp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 87.250.250.119:443 mc.yandex.ru tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 104.21.24.48:443 theonlygames.com tcp
N/A 8.8.8.8:53 yourfreecounter.com udp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 18.213.141.125:80 yourfreecounter.com tcp
N/A 8.8.8.8:53 yandex.ocsp-responder.com udp
N/A 5.45.205.243:80 yandex.ocsp-responder.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 8.8.8.8:53 www.bing.com udp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 204.79.197.200:443 www.bing.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.13:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 aliexpress.5i8xkqjmqubv.top udp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp
N/A 194.63.143.61:443 aliexpress.5i8xkqjmqubv.top tcp

Files

memory/908-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3940-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-DMAKH.tmp\Install.tmp

MD5 45ca138d0bb665df6e4bef2add68c7bf
SHA1 12c1a48e3a02f319a3d3ca647d04442d55e09265
SHA256 3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512 cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

memory/3940-118-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/216-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

C:\Users\Admin\AppData\Local\Temp\is-S6G0A.tmp\Ultra.exe

MD5 cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1 ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA256 0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA512 49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

memory/216-123-0x00000000027D0000-0x00000000027D2000-memory.dmp

C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/2112-124-0x0000000000000000-mapping.dmp

memory/2112-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\Reference Assemblies\PYHYWZOANH\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/2200-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/2200-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2276-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\35-80c92-d44-ef6b8-143d68e232049\Lesisuvaewae.exe

MD5 3ff7832ac6c44aea5e9652a33d5050ad
SHA1 cbf63d3811674b4fb2249f84d91528f1f3f158a2
SHA256 9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b
SHA512 7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

memory/3828-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe

MD5 24988abf1cac1c74e9385b4bff16e8f7
SHA1 50bae2be9668aad4f3a3a7d404c731f541b12f67
SHA256 afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c
SHA512 a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Xuluxicaegi.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/2276-141-0x00000000027D0000-0x00000000027D2000-memory.dmp

memory/3828-142-0x0000000002F30000-0x0000000002F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IFQF9.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/3600-143-0x0000000000000000-mapping.dmp

memory/3600-146-0x0000000002C10000-0x0000000002C12000-memory.dmp

memory/3828-147-0x0000000002F32000-0x0000000002F34000-memory.dmp

memory/3600-148-0x0000000002C12000-0x0000000002C14000-memory.dmp

memory/3600-149-0x0000000002C14000-0x0000000002C15000-memory.dmp

memory/3600-150-0x0000000002C15000-0x0000000002C17000-memory.dmp

memory/3828-151-0x0000000002F35000-0x0000000002F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38-141a1-7bb-d7db3-dee2c61656c4a\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 912b3118e85c3ae93ecd014897891614
SHA1 f0533c18ddb617a7db82b74484265cd6388aa4f3
SHA256 44fc2193cf8e1961244c4868703fac9f48465b66148db80243003481a3e5fce2
SHA512 3a0fb01a7fdbb2755b3f3c0d849c2473fd844c1d25b9d1e191578165e820eb9b47da7d6b7a5a8e38af44633072ae39b370380ce71851424caff0a11a30d7b6fb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B079D7ED1B8C22A8D960DDC0E7D2E0C9

MD5 37a0fefb8904fc1753516201d6af843c
SHA1 007faaddbf72307cc13065d43c735fb759707584
SHA256 8df625f0756ce2c3b830298ce5c91a7a270aabf29ce4df618af677a163a44fe0
SHA512 16f797ca2ba729c1304c558bef4807e4eaafb7aabcac980e7b5409f4d216a43f475eb8c141162500eecafa4af7eed3fb73f02009e02672dbb3e13f4b30c3e378

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4

MD5 9bd290c73c295139470b5a56f8d857bb
SHA1 c838907b18895bc98a601e27c30b5de9acef88e7
SHA256 bfc8f14e57e8fe77f10ec2c420b746a75291c034dd872bc673e459ebfdac5968
SHA512 c8a77182ce1832fe96f35a2816120c9df00eca1aa29dce49a111f057d3583b3b25a69c88f579cc84f4ff43fbf17f663a1e07234aacdd1831bbdb443f8f234e36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4

MD5 7743816ce3bbb258a4b93b62bb881f2d
SHA1 78250460be1d5d06ff25e15cbb8e03b2c3ecfb69
SHA256 3566b9ac2d35bf45a45e630c2ba2ade43b71f0dd040a233aeb9c8a080bc66667
SHA512 20cf8541931ba49a37b2a26cff48eeee88f41d719ab26407f877b30e3b634b13f8a536f609413f924918d661ad486ded719feb920845b3a213874fdd717c911f