Analysis Overview
Threat Level: Known bad
The file https://oxy.name/d/CdMh was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 16:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 16:36
Reported
2024-03-28 16:41
Platform
win10v2004-20240226-en
Max time kernel
118s
Max time network
203s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4203A718\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO42065318\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO420F72F8\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4200BFE8\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO420EDAE8\XBN.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/CdMh
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe83246f8,0x7fffe8324708,0x7fffe8324718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Roblox Cheat.zip"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO420965F7\Пароль.txt
C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe"
C:\Users\Admin\AppData\Local\Temp\7zO4203A718\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4203A718\XBN.exe"
C:\Users\Admin\AppData\Local\Temp\7zO42065318\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO42065318\XBN.exe"
C:\Users\Admin\AppData\Local\Temp\7zO420F72F8\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO420F72F8\XBN.exe"
C:\Users\Admin\AppData\Local\Temp\7zO4200BFE8\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4200BFE8\XBN.exe"
C:\Users\Admin\AppData\Local\Temp\7zO420EDAE8\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO420EDAE8\XBN.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 104.21.70.24:443 | oxy.name | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| GB | 104.78.176.27:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.176.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 172.67.43.178:443 | ads.themoneytizer.com | tcp |
| US | 172.67.43.178:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| GB | 2.23.160.20:443 | lg3.media.net | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | sdk.amazonaws.com | udp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| DE | 51.89.9.253:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| GB | 2.19.117.7:443 | ced.sascdn.com | tcp |
| FR | 178.250.7.13:443 | gum.criteo.com | tcp |
| IE | 52.30.187.129:443 | p.cpx.to | tcp |
| DE | 91.228.74.168:443 | secure.quantserve.com | tcp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| IE | 52.31.94.166:443 | adtrack.adleadevent.com | tcp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| FR | 18.164.52.24:443 | sdk.amazonaws.com | tcp |
| RU | 88.212.202.52:443 | counter.yadro.ru | tcp |
| DE | 178.63.248.57:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | csm.fr3.eu.criteo.net | udp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| DE | 162.19.138.82:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| FR | 178.250.7.17:443 | csm.fr3.eu.criteo.net | tcp |
| RU | 78.140.242.69:443 | ads.adlook.me | tcp |
| FR | 18.244.28.87:443 | rules.quantcount.com | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.43.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.9.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.192.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.94.31.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.187.30.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.52.164.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.248.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.202.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.28.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.242.140.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| NL | 185.89.210.90:443 | ib.adnxs.com | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 54.75.130.36:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| FR | 185.235.86.44:443 | gem.gbc.criteo.com | tcp |
| NL | 185.235.87.182:443 | ag.gbc.criteo.com | tcp |
| US | 8.8.8.8:53 | 90.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.130.75.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.87.235.185.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| DE | 51.89.9.253:443 | onetag-sys.com | udp |
| DE | 178.63.248.57:443 | uidsync.net | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.183:443 | s1.oxy.st | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 95.101.143.19:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.com | udp |
| US | 104.22.62.227:443 | tmzr.themoneytizer.com | tcp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| DE | 162.19.138.82:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| FR | 185.86.139.116:443 | ww1097.smartadserver.com | tcp |
| IE | 54.170.20.153:443 | id.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 141.95.33.120:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | 227.62.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.139.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.20.170.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.33.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FR | 185.86.139.116:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 178.250.7.17:443 | csm.fr3.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | 161.111.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e1b45169ebca0dceadb0f45697799d62 |
| SHA1 | 803604277318898e6f5c6fb92270ca83b5609cd5 |
| SHA256 | 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60 |
| SHA512 | 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e |
\??\pipe\LOCAL\crashpad_3528_MYQQDJSVQARDXOXI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9ffb5f81e8eccd0963c46cbfea1abc20 |
| SHA1 | a02a610afd3543de215565bc488a4343bb5c1a59 |
| SHA256 | 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc |
| SHA512 | 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1fe0a3896bd65ad23aaaafa7439e5b2c |
| SHA1 | 0bfa3f6f36b5d9d182a0b5bb86411398fe4f2225 |
| SHA256 | e0888b78bb8c3aa4a2e80ef1a05a9aadf032bb68b9eacff9dc8cea6f306937f8 |
| SHA512 | ba7a66fc17b3d6aa10ee498b1f136beb6e49b687c4d62d5a4f67a1bdf935b0b4cd0d4c97f332715e0491e674325813de603fd6581299578c57f029a1fb684b42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 945bb67782bc41d3b38b9708fd718c13 |
| SHA1 | f817b6f9f3a855c5c898de628ba07a3edb91f323 |
| SHA256 | c7e3cacdcb16c05f29f0c6cb988aa9fccaf202a68fa01c912cb156bd3f6ad3fc |
| SHA512 | e3373a64210ca7b2f7bdb7a699b30f48f07deba1174a06138ce6df0cac42ea2d4d67b775460c3f919d5c29a5895c9f854eb8104f0c6bb636208315774a561924 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a46403b7b5ddc22d8585840be48a5d9e |
| SHA1 | 3cea85b0714d7f9ddab6fe5196294abb4a08fc76 |
| SHA256 | 2a80ee1d2345976cf828121cf19943a870807212d7dec0ba86bf1c114b9c8f2d |
| SHA512 | a0cf91ddd5d246290d8372880ac1ac6ec7b937976b3b6f0e893f2d3a322bb02b01590334916b4585e1f4bc74dc62faa7b0f2b74e0a7cc7dce77e6f6f9d099017 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6aef72009c46b9de28f58b478fac6f53 |
| SHA1 | 452ec20235c861eabf1f228179c17d240e358a8c |
| SHA256 | 70e6d0c174be5e6a328dd80a5c181e96f26ace3a927861d9474d48d3fd2ba5c0 |
| SHA512 | 991a8aeca718d21a3048746e00e8489d79468dea36179bb848a20ce3eca2b850afac7c3ea2838254ee99efc38aff9a30f655b5bcc24c580481bceaffe4b43b43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ae32.TMP
| MD5 | 843fb019804bcd021b129435be3bb8c9 |
| SHA1 | 1e1c983efed39868318faf4bd8314fab6bcba670 |
| SHA256 | 59d1a6199dcb51ecd2ed1e45ef67f3e28219fee23af9402dbbad81004f14d3f2 |
| SHA512 | 513fc7d1208feb7c4d4763afb0a29c4b45b339d714fe2009c5d175b599598d5146ac0fe65456e8eb9bf60786f59d1053c0dc26b2d1b4911283334ce5c830591d |
C:\Users\Admin\Downloads\78788f5b-8c23-41ab-baf8-d608aa21cf90.tmp
| MD5 | 6a9a5f31a96c20e85e22cb045776980a |
| SHA1 | 3cb2fdce732325762042d825f17aec7cfd848977 |
| SHA256 | 77bff8fca26c5ead9ceae8825a168ce9d20da3a3bc2559d18fec0924ed89dc62 |
| SHA512 | 1002193605d184936ad75df4198ad6d79b52c2be38c215d2ae8eb1033c700e4bb655a9507ab6492fe995b4ab1094f2bf46dd58e4551dcd05d0ec708a2ed7f534 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 24c64c28cdf4bdfbfdbeb587be348bfa |
| SHA1 | aacaed2c4f914d4283933c71f5722d569882ebd1 |
| SHA256 | a4179c2cdb025e9e09df6d5758d0b659fb36b768aa06500cc737f1a5148b5385 |
| SHA512 | ad91bdc68eda84cd206d65b5214405d39132dc78f8bcea57bbc71581e5eaebb4c3a2dff6bc8adc040397200348d97dfa1c1c373132387da5c597db0d629059fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6f37e1de6043de097173c039cd2482bc |
| SHA1 | d93b47b37c6ddd244fedf1493086fa9b5ab5c8f0 |
| SHA256 | 7b82f317e337e15bb7c23417b3bb710846ef503fbc29fce319e3e0fbf613a617 |
| SHA512 | 3580b0c75e0c32d79ea38c4ad604c9ec4c5a8c50e5546fd5061330715eeced5675df3f04b693250672def9743a7a1858a82dc272c9be4cac19e08d94d8b6d466 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 260aaa8e284a39d64974f337fe99c76b |
| SHA1 | ef3831ee8295074face80ebf3372b61ca2e91266 |
| SHA256 | a5230ba8d67e569bcaed4cd3d747e9680cc408a678e773cfd501baac6d5aea7f |
| SHA512 | ee8196309added6fd5c3c990443e534254ebbfa622eb7a10decb60529e111f73586d793e7ee35afc0b3588939aad07f8c3b581abfd90fe90b9368bfc684960d1 |
C:\Users\Admin\AppData\Local\Temp\7zO420965F7\Пароль.txt
| MD5 | 957981fb7200394fa7c0a11300c6f074 |
| SHA1 | 1be0d470922fd41662ef3aadd7ac8c075f2226b7 |
| SHA256 | 503853cff57033cf26415c602644de3a2acc13ee5c1e731d34e5b2bdf7ab6618 |
| SHA512 | dea36c2d9e2cc23afa4da840bf41616983689e395807f5db640f4890febbe2db605a20dfc6fc44796a1331e2b1cbf9a091933a5cf6bc6c1fea7d3dc24dce14b9 |
C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe
| MD5 | 7d2f209505446a983e351cc4ae9065ff |
| SHA1 | f180d9f5704bd01d0d9498ad6f6ec4bff7565c65 |
| SHA256 | dab6c1af2a7c4dc1ea1b4b163b1e53657502cb347df28e265874b635aaa49f3e |
| SHA512 | ead7917c923f1c639443ce09efa4ffe3e0a400184bc57a4d693cdb804d2612badc4cc8c6b8edda97a1b857534b30dfdd59bf886676bea68801fc155187fcc45f |
memory/436-313-0x0000000000F00000-0x0000000000F1C000-memory.dmp
memory/436-314-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
memory/872-327-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
memory/5000-349-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
memory/436-350-0x000000001BBE0000-0x000000001BBF0000-memory.dmp
memory/436-351-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
memory/872-352-0x0000000001520000-0x0000000001530000-memory.dmp
memory/872-353-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
memory/5000-354-0x0000000002440000-0x0000000002450000-memory.dmp
memory/5000-355-0x00007FFFD4CB0000-0x00007FFFD5771000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 673ca93a6bc25c48df292477c64fa296 |
| SHA1 | a08205674a94d38735f7d878a36f8ae9d9643d31 |
| SHA256 | 9931bef0d7bb0a6d075cd69b36e634d76416d31120d14361ea74c8358e1b3420 |
| SHA512 | 43bd0a642bd468bfc8ddd9d02cd9ddac6bfa495a81b9279ce7f2f356ada92756504a07756e6ef876f3a7914d673cd29ec6793240462f645db9b302ec9bb41331 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4b48f47a42942d9250bfd9958d33feb1 |
| SHA1 | 483edc6fa68a6f2e8e0ea37199de73a5cca5cd2a |
| SHA256 | f2b305d39e0a34b1703ada55168529cb551843ee3efc64c94ee1743e083bb0cd |
| SHA512 | bec079d67491ed903c58f3dfafae55a966b8cba4d9614ad1d73b4e3db15737f71fb06ebbdc9f70142edf756fabb4eed0835487da84a5954828a53a8a6a0cf764 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3e013ab75276767f4640295c6a7fbf04 |
| SHA1 | 18fcdf5fb8c394b1aeb83747782f64d41bc387dc |
| SHA256 | e26a813dd0d41c230f9c49d3dfa2912030f1353662229c80fbcb19180acd1b69 |
| SHA512 | b35a8c7d9dd17d0ae6259ed34726e4e0c18cbca09dfa980208ac39f62e84f18b964a06253bcf941df76a0ac21e9fe279bb630e7e4895de5601235a6936b86c1c |
memory/5532-486-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp
memory/5620-499-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp
memory/5704-512-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp
memory/5532-513-0x000000001BA30000-0x000000001BA40000-memory.dmp
memory/5532-514-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp
memory/5620-515-0x000000001AE00000-0x000000001AE10000-memory.dmp
memory/5620-516-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp
memory/5704-517-0x00000000008E0000-0x00000000008F0000-memory.dmp
memory/5704-518-0x00007FFFD8730000-0x00007FFFD91F1000-memory.dmp