Analysis Overview
SHA256
57eb4ed10c1eee0b3b58bd99e1eb753f0ee431d3d60db74a15fdf69255c8f87e
Threat Level: Likely malicious
The file 846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Registers COM server for autorun
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Checks system information in the registry
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 14:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 14:14
Reported
2024-05-30 14:17
Platform
win7-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\12.0.0.26\\notification_helper.exe\"" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\12.0.0.26\\notification_helper.exe" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\loader_ldir_259404624\loader.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159} | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.shtml | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xht | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\12.0.0.26\\notification_helper.exe\"" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application\ApplicationName = "Atom" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application\ApplicationDescription = "Access the Internet" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\shell | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\shell\open\command | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.pdf | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.webp | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application\ApplicationCompany = "Mail.Ru Group" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application\AppUserModelId = "Atom.STWQV3M7MXGZP5IVNOLQBD3KSU" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.html | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.svg | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Wow6432Node\CLSID\{635EFA6F-08D6-4EC9-BD14-8A0FDE975159}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\12.0.0.26\\notification_helper.exe" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xhtml | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\ = "Atom HTML Document" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\atom.exe,0" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\shell\open | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\atom.exe\" --single-argument %1" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AtomHTML.STWQV3M7MXGZP5IVNOLQBD3KSU\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Mail.Ru\\Atom\\Application\\atom.exe,0" | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.htm | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\loader.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_ldir_259404624\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_ldir_259404624\loader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\loader_ldir_259404624\loader.exe
"C:\Users\Admin\AppData\Local\Temp\\loader_ldir_259404624\loader.exe" --cp
C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\loader.exe
"C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\loader.exe" --arf=1 --rfr=500999 --ga-tid=UA-122680070-1 --ga-cid= --usagestats=1 --ext_params=old_mr1lad=5e7122ed298b202b-2985447_2013043_02.500999-2985447_2013043_02.500999-2985447_2013043_02.500999 --onboarding-pages=import,devices,vk,shortcuts,backgrounds,ntp_settings,security,stats "--ntp-settings={\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": true, \"widgetMailEnable\": true, \"widgetOkEnable\": true, \"widgetVkEnable\": false, \"widgetCrownEnable\": false, \"gamePanelEnable\": false}" --rmt-onboarding=https://browserdata.cdnmail.ru/atom_welcome_page/v7/page-2-base/ --force-restore-on-startup-last --enable-features=TabSeparators,AutoSync
C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\CHROME.PACKED.7Z" --arf=1 --rfr=500999 --ga-tid=UA-122680070-1 --ga-cid= --usagestats=1 --ext_params=old_mr1lad=5e7122ed298b202b-2985447_2013043_02.500999-2985447_2013043_02.500999-2985447_2013043_02.500999 --onboarding-pages=import,devices,vk,shortcuts,backgrounds,ntp_settings,security,stats "--ntp-settings={\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": true, \"widgetMailEnable\": true, \"widgetOkEnable\": true, \"widgetVkEnable\": false, \"widgetCrownEnable\": false, \"gamePanelEnable\": false}" --rmt-onboarding=https://browserdata.cdnmail.ru/atom_welcome_page/v7/page-2-base/ --force-restore-on-startup-last --enable-features=TabSeparators,AutoSync
C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad" --url=https://browser.mail.ru/cr/report --annotation=ProductName=Atom --annotation=Version=12.0.0.26 --annotation=bid={4BF79364-4359-47CC-8A7C-75BD5D3290C9} --annotation=plat=Win32 --annotation=prod=Atom --annotation=ver=12.0.0.26 --initial-client-data=0x188,0x18c,0x190,0x15c,0x194,0x14db2f8,0x14db308,0x14db314
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --installer-launcher --enable-features=TabSeparators,AutoSync --onboarding-pages=import,devices,vk,shortcuts,backgrounds,ntp_settings,security,stats --ntp-settings="{\"feedEnable\": true, \"searchEnable\": true, \"historyEnable\": true, \"noteEnable\": true, \"widgetMailEnable\": true, \"widgetOkEnable\": true, \"widgetVkEnable\": false, \"widgetCrownEnable\": false, \"gamePanelEnable\": false}" --rmt-onboarding=https://browserdata.cdnmail.ru/atom_welcome_page/v7/page-2-base/ --force-restore-on-startup-last
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data" --url=https://browser.mail.ru/cr/report --annotation=ProductName=Atom --annotation=Version=12.0.0.26 --annotation=bid={4BF79364-4359-47CC-8A7C-75BD5D3290C9} --annotation=plat=Win32 --annotation=prod=Atom --annotation=ver=12.0.0.26 --initial-client-data=0xdc,0xe0,0xe4,0xb0,0xe8,0x717b0768,0x717b0778,0x717b0784
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1204 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=gpu-process --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1248 /prefetch:2
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1788 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3760 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=gpu-process --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1328 /prefetch:2
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3560 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=renderer --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6672 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1140 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1616 /prefetch:8
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
"C:\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1184,4204090284767333846,16269357731868704570,131072 --enable-features=AutoSync,Marusya,MyAdBlocker,TabSeparators,ToolPanel,VkMusic,VkNotify,WhatsApp --disable-features=Channel,Dashboard,FeaturePromotion,LocationBarPIP,MySearchContext,TaskbarCounter --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mrds.mail.ru | udp |
| RU | 95.163.50.150:80 | mrds.mail.ru | tcp |
| US | 8.8.8.8:53 | browser.cdnmail.ru | udp |
| RU | 95.163.50.150:80 | mrds.mail.ru | tcp |
| RU | 5.181.61.0:443 | browser.cdnmail.ru | tcp |
| RU | 95.163.50.150:80 | mrds.mail.ru | tcp |
| US | 8.8.8.8:53 | bs.browser.mail.ru | udp |
| RU | 5.61.236.211:443 | bs.browser.mail.ru | tcp |
| US | 8.8.8.8:53 | bs.browser.mail.ru | udp |
| US | 8.8.8.8:53 | data.browser.mail.ru | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| US | 8.8.8.8:53 | r2---sn-aigl6nz7.gvt1.com | udp |
| GB | 74.125.168.103:443 | r2---sn-aigl6nz7.gvt1.com | udp |
| GB | 74.125.168.103:443 | r2---sn-aigl6nz7.gvt1.com | tcp |
| RU | 5.61.236.211:443 | data.browser.mail.ru | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | top-fwz1.mail.ru | udp |
| RU | 95.163.52.67:443 | top-fwz1.mail.ru | tcp |
| US | 8.8.8.8:53 | ad.mail.ru | udp |
| US | 8.8.8.8:53 | vc.go.mail.ru | udp |
| US | 8.8.8.8:53 | service.browser.mail.ru | udp |
| US | 8.8.8.8:53 | stat.browser.mail.ru | udp |
| RU | 95.163.52.232:443 | vc.go.mail.ru | tcp |
| RU | 5.61.236.211:443 | service.browser.mail.ru | tcp |
| RU | 217.69.136.245:443 | stat.browser.mail.ru | tcp |
| RU | 217.69.136.245:443 | stat.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | service.browser.mail.ru | tcp |
| RU | 95.163.41.56:443 | ad.mail.ru | tcp |
| RU | 95.163.41.56:443 | ad.mail.ru | tcp |
| US | 8.8.8.8:53 | mail.ru | udp |
| US | 8.8.8.8:53 | data-ntp.browser.mail.ru | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 94.100.180.201:443 | mail.ru | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 5.61.236.211:443 | data-ntp.browser.mail.ru | tcp |
| RU | 5.61.236.211:443 | data-ntp.browser.mail.ru | tcp |
| US | 8.8.8.8:53 | go3.imgsmail.ru | udp |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | recostream.go.mail.ru | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| RU | 5.61.236.241:443 | recostream.go.mail.ru | tcp |
| US | 8.8.8.8:53 | rs.mail.ru | udp |
| US | 8.8.8.8:53 | r.mradx.net | udp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| RU | 5.255.255.77:443 | yandex.ru | tcp |
| RU | 95.163.52.80:443 | r.mradx.net | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 163.70.151.35:443 | tcp | |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| RU | 5.61.236.210:443 | go3.imgsmail.ru | tcp |
| RU | 5.61.236.243:443 | tcp | |
| RU | 95.163.52.80:443 | r.mradx.net | tcp |
| RU | 95.163.54.50:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 87.250.247.181:443 | tcp | |
| RU | 93.158.134.119:443 | tcp | |
| RU | 77.88.21.179:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 178.154.131.215:443 | tcp | |
| RU | 5.61.236.241:443 | recostream.go.mail.ru | tcp |
| RU | 95.163.41.50:443 | tcp | |
| RU | 95.163.41.50:443 | tcp | |
| RU | 95.163.41.50:443 | tcp | |
| RU | 95.163.41.50:443 | tcp | |
| RU | 95.163.41.50:443 | tcp | |
| RU | 95.163.41.50:443 | tcp | |
| RU | 93.158.134.119:443 | tcp | |
| RU | 87.250.250.90:443 | tcp | |
| RU | 77.88.44.66:443 | yandex.ru | tcp |
| RU | 87.250.250.90:443 | tcp | |
| RU | 77.88.21.119:443 | tcp | |
| GB | 172.217.169.3:443 | tcp | |
| RU | 95.163.50.150:80 | mrds.mail.ru | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| GB | 216.58.204.67:443 | tcp | |
| RU | 217.69.139.253:443 | tcp |
Files
\Users\Admin\AppData\Local\Temp\loader_ldir_259404624\loader.exe
| MD5 | 846ed8c626ee996586ebdd090a3b4bbb |
| SHA1 | 5c44f8d14582849e61d6383d0bafcd157a7d4382 |
| SHA256 | 57eb4ed10c1eee0b3b58bd99e1eb753f0ee431d3d60db74a15fdf69255c8f87e |
| SHA512 | 94a57f410f46aafe22e658e70dc8c062308d652f3e1e2e8a90106fda8280b8df0b5a5f04782fd49edefa3dbeffa102f175cb15cdd4149bb4b1bf20c3d998a57f |
memory/2056-7-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2056-31-0x00000000000B0000-0x00000000000B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\mini_loader_scoped_dir_1717078493\CR_903A1.tmp\setup.exe
| MD5 | 27e7cde8d4f3a152d7b0cba18d4df622 |
| SHA1 | 6e29fc9005ba9bba31694f7e5e9b5f77c1c4cdad |
| SHA256 | 63ca657168bcb69d0d69ebe76ed312e6ac15b63d5cf14527f01fe33ddee7859b |
| SHA512 | d258702557cb43650d88f54ca7cee25b826676e68d64bb1ca03752e072edab0badf51f6aee386aded546336a2b52d3f971925d95d5b8d035cc1cab235f3f146d |
C:\ProgramData\Mail.Ru\Id
| MD5 | 8e01398b6d6c4fa04b253625b1c3ccb4 |
| SHA1 | 46a64114fca5bfbedfdf93c8b677bc30a18fcb56 |
| SHA256 | 9bc2d1b551d9801ecef29cb90835047fba568849b736be9194c01c2e84ff48e1 |
| SHA512 | d859fa314868fbf858c441f00e58b9bb1b2f0f7f0e071e0ee9afce5556e12d78fb32cd0e7cd0f1a82d57947066d053a3318ed64c57912d8157137cffb6b7d3d4 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Crashpad\settings.dat
| MD5 | d5e81d5b6ca4ffced8a4a3bd6a8818b7 |
| SHA1 | 9546aae69b43bbf79533cf849ed775d2fdab88f3 |
| SHA256 | c36da92aea19168aa88376f82f518cf84d55a15e23368c3b268cb0ad976af2a9 |
| SHA512 | fd93991340668a9ba31e836091512e1eeb3093fe0f55b5b1c30df52d3b8aa18348602a37e58c2c021fab0dc18bddf163ffe3d4aaed433f2c9d3b47ad24c1dc51 |
\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\atom.exe
| MD5 | 7038258300148103e5ee34b6841e32c2 |
| SHA1 | a1b8f1d64d5f4cdfcb3bf4a12dba908a8b77f6df |
| SHA256 | a684a34cc24d66ad5a913ac5b86487d2dcc910e2feeb715bae653350d57765c0 |
| SHA512 | 49eb575e31cbf7d496ef770b52d4806ba92036db9e27ac99d04c57b790c5a621a315cc5fedb04749d02200c8336346dc7435e67303d983b21b476c5fd7440aa9 |
C:\Users\Admin\Desktop\Atom.lnk
| MD5 | c2ac928ef869a791d38a3b540563d82e |
| SHA1 | 2d89d20f281d3520cc27509c17eb45fef31d2578 |
| SHA256 | a09eeb357f353a6183b1f426e59712521fe101ae2f9383db98aec91064fba7ee |
| SHA512 | 261cd131f0e328df278c34e9999ad262195ca703c428800b3c4ead847b8ab1b7c30f9bcfc484f3e058d0370e83babaa8cff968f764f52911bb75f7277c7599f5 |
\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\12.0.0.26\chrome_elf.dll
| MD5 | b9f38b3219b06729b73a207ef3cb1e4b |
| SHA1 | edb74a6e6653efd7583a99fa87ed5187ffc729b7 |
| SHA256 | 4506aa8ee25bf9da429ffb08a484137f5f0f25e80f96c46b8fccefd7abe2c3ef |
| SHA512 | 17ea65513f9a15ad3a00eea2c007ffe904f6387f74599c1cde1933fcda5af3e151e9edc2c113f5b3052478b4880892822c89894510dfa9669a964e776b154f70 |
memory/1564-149-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
\??\pipe\crashpad_1544_PMXLIKFQVDZXZWOW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\12.0.0.26\libEGL.dll
| MD5 | 33bcd65c28295b2394e58188aeed3158 |
| SHA1 | 91bed8ee928ac847e9f4001770545445388ea1f2 |
| SHA256 | b7ee65a5c4af904d5fadf161ed9cbdc1fd8971047d4f23102525ae7914d88b65 |
| SHA512 | 8675ece3f0a258b13baece86d18c8d0dd5b130a39b4ab980e13d6ac77f135e312c4c9431e9460439854e61ae9b9a8cd0954c337f5dc46ec3b5c1fe4069bd823d |
\Users\Admin\AppData\Local\Mail.Ru\Atom\Application\12.0.0.26\libGLESv2.dll
| MD5 | 9e54e458ff38f0f228b7ea58701c8172 |
| SHA1 | 825539c7d7e8e99e008afc177f179dc120525c48 |
| SHA256 | aef0540fd7ee80d471d80708528913cd20a38d2c88a7d960e478224617992b22 |
| SHA512 | 9ac067531af2e355d0eaeb411dcb53e704e3f9fbaa42a93ec51a3c8c4f4cf4ffa9d688b99f26d29ea5972d35cba1c6a5746ccaea2d3c350f4a33e25065961e2d |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Site Characteristics Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Extension State\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\20911c55-1905-4648-b508-dd54ff492ffd.tmp
| MD5 | e114e0b8a821eb2d6c8825be1299275f |
| SHA1 | d3d7e34fc62565ef1c7ed2eb1fab2e106194b0ca |
| SHA256 | 5f232a28f2d7ada53a622c84ac72272d1bc02c1252181ff75631d591752d3d93 |
| SHA512 | f14c610f768e52e43ab8041f224f4ae60285697e88e1ec6e09559e51f48fe9b9024f3a4821ac17b02685d3c5ec49863fd86a25af97f6365588d2ba2a31fb9ab8 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\cccc3268-053b-4333-9959-5a8866dfff06.tmp
| MD5 | e49350eb5fb63d83bf7e550e3223f3c0 |
| SHA1 | 69c877cd4067392a09ca2700fb488cf87ec3f792 |
| SHA256 | f8de166525568f11556173f71cb4c135e7010a0242e5339ceefffe692fc0ac36 |
| SHA512 | 409f6bf0ab3d988ea2052bf1795d8a1862fc700f2ea834cbb37ea13bcfb9c8cc946c623ab3e191a1101afeb67acf00e140514691afe8b1588e9cd191e8c454f1 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\ShaderCache\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\ShaderCache\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\ShaderCache\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\Cab50FD.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar527B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 66488c2a5caeec6d1204c68218eee08f |
| SHA1 | d7daf47f7a6c57fb8a8276ab623ca709061264c7 |
| SHA256 | bc9a893e9a5933fc489233bb2ff15d017b58b96c12c4434727202bbd795325fb |
| SHA512 | 4751e57c43a153db2bf35c8e02ffe4eecb891ccf8e6db2ef953b9662b2cec9b80da2c24695e07097e1e228a6bbf379f5f9c357b46a20744624762768c405c58b |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\261400db-7db9-4c2d-aad9-dfd75eaa3491.tmp
| MD5 | 94e20ccb900e9094dadb43676e0559dd |
| SHA1 | 84ad9b776f77634e899f3c8102660f3dfbc70343 |
| SHA256 | 79cc28b6be4f79aeef275c8f4917d95c71daa73e8193ac4f34a2e25a872f9ed8 |
| SHA512 | f5ac42ebc1c122e30f6852f603602c71cc787adafa16baee1576fb112d047b7068a5549127d2071b1458141f6d92ac3492bd97ddf3e5b0d41e7b660f70579185 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Local State
| MD5 | cd7ac007ffb88aa707f278aef1549995 |
| SHA1 | 08adda00bf5cd2367fd0cc5f566d6eec05fcfa89 |
| SHA256 | 41f6398ac167bb34b772e272f5a73a90256396105b5731bd74fe59893c2f0d80 |
| SHA512 | 8dd57f7186ada88aa36e53f540f9792241c918427fb3966b22fe88d48ec36ab42b78fe816c5b69536cc8779b409124eb46252e9ca03a301805805b8d4e3baa31 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Local State
| MD5 | 3d421da5d6d8febcf18fbcef05ada53d |
| SHA1 | 51b96a46743ceb1ff5ebd97e4d7b02c502452e25 |
| SHA256 | b24ba3b47218c0736838203368aa2979016cf5be022605dcec9bb30854c8e062 |
| SHA512 | fef827c7092601af71e927aa45c908ba00d70773c9d9be8385ed791539912a57c9b99213e6f26351fc38180b5cfbed898ea70e5e8f31140234894a0d5feb05f1 |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Preferences
| MD5 | 33225118a143b0b9ffe4155934bc4062 |
| SHA1 | 40c249c62b6de28050565b58288f70c6050899ed |
| SHA256 | 43c66820b1e782790100b6edc39f725748199bd54802799e24e506c5d39710a1 |
| SHA512 | 19619fddf90e91c84ecdf7142a7ca7b8cc6d1537878c1ceb190ebe32614435632497b5c1d7472e29a2033fb74fd9d252ce083ccd72301e69dfdb62d7118d873f |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Module Info Cache
| MD5 | 8ae1f1a991e3448af3bc6c7f7716f7b4 |
| SHA1 | 18dca707757239cd6d65199738a9ae9bab0d31ad |
| SHA256 | 1b1531b4c906df201b33d3086af7a34426e8b2846ed118af09840a81cdcfaae8 |
| SHA512 | c3db2f3c41b0c8ce1954043dbee9fce55c11917094d2231096b9a49fe78e687e9b0dc06209df0cf2ff1df7c79ecacd95e5eefd3d98c1870adabea6993d27bfed |
C:\Users\Admin\AppData\Local\Mail.Ru\Atom\User Data\Default\Network Persistent State
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 14:14
Reported
2024-05-30 14:17
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3924 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe |
| PID 3924 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe |
| PID 3924 wrote to memory of 1640 | N/A | C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\846ed8c626ee996586ebdd090a3b4bbb_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe
"C:\Users\Admin\AppData\Local\Temp\\loader_ldir_240598906\loader.exe" --cp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mrds.mail.ru | udp |
| RU | 95.163.50.150:80 | mrds.mail.ru | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.50.163.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.179:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\loader_ldir_240598906\loader.exe
| MD5 | 846ed8c626ee996586ebdd090a3b4bbb |
| SHA1 | 5c44f8d14582849e61d6383d0bafcd157a7d4382 |
| SHA256 | 57eb4ed10c1eee0b3b58bd99e1eb753f0ee431d3d60db74a15fdf69255c8f87e |
| SHA512 | 94a57f410f46aafe22e658e70dc8c062308d652f3e1e2e8a90106fda8280b8df0b5a5f04782fd49edefa3dbeffa102f175cb15cdd4149bb4b1bf20c3d998a57f |