Analysis Overview
Threat Level: Known bad
The file https://oxy.name/d/CdMh was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 18:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 18:26
Reported
2024-03-28 18:27
Platform
win10v2004-20240226-en
Max time kernel
70s
Max time network
67s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/CdMh
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe87b846f8,0x7ffe87b84708,0x7ffe87b84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Roblox Cheat.zip"
C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 104.21.70.24:443 | oxy.name | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| GB | 2.17.4.21:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 8.8.8.8:53 | 24.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.4.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.135.221.88.in-addr.arpa | udp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| GB | 2.23.160.20:443 | lg3.media.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 8.8.8.8:53 | sdk.amazonaws.com | udp |
| DE | 51.89.9.251:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| CH | 18.165.183.112:443 | sdk.amazonaws.com | tcp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| GB | 2.19.117.7:443 | ced.sascdn.com | tcp |
| RU | 88.212.201.204:443 | counter.yadro.ru | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| IE | 108.129.61.95:443 | adtrack.adleadevent.com | tcp |
| IE | 52.30.187.129:443 | p.cpx.to | tcp |
| DE | 91.228.74.244:443 | secure.quantserve.com | tcp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| DE | 178.63.248.56:443 | system-notify.app | tcp |
| RU | 176.122.21.226:443 | ads.adlook.me | tcp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | csm.nl3.eu.criteo.net | udp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| NL | 178.250.1.25:443 | csm.nl3.eu.criteo.net | tcp |
| CH | 18.165.183.57:443 | rules.quantcount.com | tcp |
| US | 8.8.8.8:53 | 227.63.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.9.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.183.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.192.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.61.129.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.187.30.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.248.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.122.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.33.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.103.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.183.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| DE | 37.252.173.215:443 | ib.adnxs.com | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 54.75.130.36:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| FR | 185.235.86.148:443 | gem.gbc.criteo.com | tcp |
| NL | 185.235.87.169:443 | ag.gbc.criteo.com | tcp |
| FR | 178.250.7.13:443 | dnacdn.net | tcp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.173.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.130.75.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.87.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.7.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| DE | 51.89.9.251:443 | onetag-sys.com | udp |
| DE | 178.63.248.56:443 | uidsync.net | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| DE | 157.90.33.122:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.183:443 | s1.oxy.st | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 95.101.143.26:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 183.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.com | udp |
| US | 104.22.63.227:443 | tmzr.themoneytizer.com | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| FR | 185.86.139.85:443 | ww1097.smartadserver.com | tcp |
| IE | 54.194.120.205:443 | id.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 162.19.138.117:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | 85.139.86.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.120.194.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| FR | 185.86.139.85:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | kinesis.eu-west-1.amazonaws.com | udp |
| IE | 99.80.34.191:443 | kinesis.eu-west-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 191.34.80.99.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| FR | 185.86.139.85:443 | ww1097.smartadserver.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e1b45169ebca0dceadb0f45697799d62 |
| SHA1 | 803604277318898e6f5c6fb92270ca83b5609cd5 |
| SHA256 | 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60 |
| SHA512 | 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e |
\??\pipe\LOCAL\crashpad_4108_JAEWVBSIOFNADLPI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9ffb5f81e8eccd0963c46cbfea1abc20 |
| SHA1 | a02a610afd3543de215565bc488a4343bb5c1a59 |
| SHA256 | 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc |
| SHA512 | 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5f987a45e6af5707a8abf374aa6a6706 |
| SHA1 | b3c415b46a87928af07e58ebe5e9644b7aef2a3a |
| SHA256 | c563adac0a59e2a276ee426ff9ee44cafc9ca80f0602ae00fe0319fb3280e803 |
| SHA512 | 63ae2b64b012631602385f6b2fc53bbacec031380bc2931bd749a7cacd74bff9c4abc443cfc70fcfdf0d2dc6302dfe34c2f2f6bd4b50129c794b0c5055c2e57c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 3ffd66c254b5d99807b20818007fca1e |
| SHA1 | 8bbb38a132effaa857f46548b5a6a0e9b27c1347 |
| SHA256 | 693028265604cc39d21108d0cff926ac515c74052c44184038e82582a7d23512 |
| SHA512 | eba656c6be7857c80a11fa562b370d5a2503e60f23953b3e4bd8df4206bf2d3e7cf1781632f06b2ba691df8b51c3020ae7ba1fd10112cc4b6f4a32d196ba65dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | 1d7bb1b8937ccf663be159f37f090c7a |
| SHA1 | fe58b4cb6ccb142085ce67080c2192ccb72704ff |
| SHA256 | b8cabb97c709d9bd08aa1332efa0d66aa4f30bfbf810dbe1416aa5341113ca2d |
| SHA512 | 93e0a90115111bee07619e5fb1f52b8248c02df97faa07aea956e132a701bcb753936d0a8895365715c97199d06bd18e5997d65a746af6f3bedde17d625ca846 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ef52287eb9de246dc913748d5adbe95c |
| SHA1 | f5925702559d00a1b826dc0bb828d828bd408bf3 |
| SHA256 | 2f6f139644f198906bffca6bcdb7db8fee4dc56fa9bd2aac1f44defe11be7c51 |
| SHA512 | f449e4010dfaec16f1288cae06c7d6d5b56b78d87ccb575df0a6c4b3c1d9ad92baa89e967c7a3174c307362fd3429ec90256f1fe90ec82f623ac9365d50d3b47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f8c80551a068d6e6f05c462163e5e346 |
| SHA1 | 58af6e2d9cd42d2380097f7f9ecd3715c5ab01e5 |
| SHA256 | 1401fbf501895fdb1c271132c8ed7a20698e271b2fcb52ce30538c7faf8313b3 |
| SHA512 | 390998cea0962bcc60c56e60836d5908ac1246bbabaa5065d714be17527660a14a858b322444437d4de0fc6a28920fd8383e5f1652e10dcb0354cfa2c76117b3 |
C:\Users\Admin\Downloads\eecbe6b2-3600-48dc-b10b-31d0a7be1bb2.tmp
| MD5 | 6a9a5f31a96c20e85e22cb045776980a |
| SHA1 | 3cb2fdce732325762042d825f17aec7cfd848977 |
| SHA256 | 77bff8fca26c5ead9ceae8825a168ce9d20da3a3bc2559d18fec0924ed89dc62 |
| SHA512 | 1002193605d184936ad75df4198ad6d79b52c2be38c215d2ae8eb1033c700e4bb655a9507ab6492fe995b4ab1094f2bf46dd58e4551dcd05d0ec708a2ed7f534 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 11f33e5bdac8b08b564e71ac57322d24 |
| SHA1 | 680cc3bb83952a70f041b921fa54e62a3376a8c5 |
| SHA256 | af44a592b93c6d5a49825b3bd097b6ad7fead4b1a856b8ad4a1bbb6780a1583f |
| SHA512 | c88f0178b6488ec90b82bfc5355dc5e849d0d3ad974a4569ee82ecefb83bc9fb40d8201328b4aab9e503871cdbd7d34d480aff7a86687cccc9fe81b272300a0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 78290e85013cadc458c989554b991d67 |
| SHA1 | 836c85a43aecaf0a26179f76ce5315111a432eb6 |
| SHA256 | e63dffee595174c1e34153545da37f271b3358ebbe041a47623ac07af0bcde30 |
| SHA512 | 46d53a84b0165a553e1b91ab4b9497a6610d3c65235f82c32429cfd8e4be3f5fd0ff85c720b3727da4c4487a2ffce67efd7aa5f39a10c7f8ef1ef6ede80598a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579ed0.TMP
| MD5 | 99bfcd2e056bde08c8b9ffd60d8b54f5 |
| SHA1 | fb6bbbe65b6c3394ec92743a81b88c20770c23b6 |
| SHA256 | 1abbeb4e261b7ac785f9d98df9cd854bafaa85880fa0b512c486578476e885d0 |
| SHA512 | f1e603682bdc1883c01e1b7a3ed9a12e91020b855a82fbc13f4a8c93ba716a889c308b7c75faf14f5ce2745ed2e99a7622c6625aed3212e2ace10fdc808c662d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ba57868e54fcdbf08e284ad5aab72ba8 |
| SHA1 | d8a9251c1ba980194bb7ed3af7ebc3a6fc1c46bc |
| SHA256 | 9f8d7f6df1155ecc1777eb2d747eea5af82ae668d79ba074d6123efc087476c7 |
| SHA512 | 28144f9b31544b51bdcac1420fcf9aeb901cad3f76373e74f89086876a3bba105fe948b6b36324c33fce2097f16b0c37727b177a52cdb2a71b4da44d1ed74ae7 |
C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe
| MD5 | 7d2f209505446a983e351cc4ae9065ff |
| SHA1 | f180d9f5704bd01d0d9498ad6f6ec4bff7565c65 |
| SHA256 | dab6c1af2a7c4dc1ea1b4b163b1e53657502cb347df28e265874b635aaa49f3e |
| SHA512 | ead7917c923f1c639443ce09efa4ffe3e0a400184bc57a4d693cdb804d2612badc4cc8c6b8edda97a1b857534b30dfdd59bf886676bea68801fc155187fcc45f |
memory/5136-286-0x0000000000FC0000-0x0000000000FDC000-memory.dmp
memory/5136-287-0x00007FFE75310000-0x00007FFE75DD1000-memory.dmp
memory/5136-290-0x000000001BD00000-0x000000001BD10000-memory.dmp
memory/5136-295-0x00007FFE75310000-0x00007FFE75DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | efbe1bab796e62503361ebb78e9848f9 |
| SHA1 | 8cbfed38f621526cbb91fd1fd55a61cb69e0f07f |
| SHA256 | 8207ac0b2998d7068c2a6718d3c047e9a908c2c0616256e26b8ec81f5070ae19 |
| SHA512 | 33e680a75fad4b4b826e47abad1d0eb83290ccfddc8ac1909f593a3a606fd64b73e257ad12a7e966ad1bb272ba6bead8bd31d56e70547d793e686e879fae0044 |
memory/5832-313-0x00007FFE75310000-0x00007FFE75DD1000-memory.dmp
memory/5832-323-0x0000000002430000-0x0000000002440000-memory.dmp
memory/5832-327-0x00007FFE75310000-0x00007FFE75DD1000-memory.dmp
memory/6044-328-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-329-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-330-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-334-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-335-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-336-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-337-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-338-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-339-0x00000109210F0000-0x00000109210F1000-memory.dmp
memory/6044-340-0x00000109210F0000-0x00000109210F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0305f6f21c01f9adf4a854f2179ff484 |
| SHA1 | c3290b0c3839b4913b4037af60b870461e1f9703 |
| SHA256 | 0065c9a8558ce5df13aab25743fff7d6de581d83150de9dadae39b97ee675c71 |
| SHA512 | 84b1f9df483d62d55b06501568ced9f2b910770562e7b06ab54ebc57887ef0c72c87a61aab79800871c82c67dd01d4c88d4ca76b56839b9251a316fc710acf85 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b66bc2c64731c7b5088b0e93bfc97e38 |
| SHA1 | ddb12d6306bfdc4b552ee3ad91f07ab8e33d7f2b |
| SHA256 | 18536f7f2671bad2dc189a93225cb2fd809ada27f8a0d5d3171041644df2dd88 |
| SHA512 | 0bddf9613407fa690a3b2172cf0418243f31e23f06b4f11c53de677b55f91660313d9130961037bedb40b8b84d7915490dedb151166c088c57b99daf75385205 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | aca6534452552b5226e0f57b38a57454 |
| SHA1 | 5ccb5f981db513e555a988f6ef05d85ea3d11e20 |
| SHA256 | 848f3b0ac29943991016c85cc4584a48c806cb19f834005f50eacd182604ba2d |
| SHA512 | aeda58d361cd51a0e92f676ba55188400b18e8fe3e6f20ea97fc8cd4219b388fe3b5c6f3b599e642328042c90b9fbda1979895a031540f835285370d8f785baa |