Analysis Overview
SHA256
3f518b753770e92d4300efcac94c41c4957becefd19363f1cbe5d4c27fccfd31
Threat Level: Likely malicious
The file 0e1fcae1d1369a8a1e87eae3287b97cc_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 05:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 05:24
Reported
2024-10-03 05:27
Platform
win7-20240903-en
Max time kernel
134s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "116" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "147" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "39" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "147" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "59" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "116" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1034" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D251DC41-8147-11EF-8632-EAF933E40231} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "87" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "59" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "102" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434094962" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "59" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "87" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "879" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000d2209f8b93356e084de07e2d3533b947ad44db2e68fb172d1a8b183be7f7d763000000000e80000000020000200000007f5a2fb58098ef665ebf2bb0f4bc234d5ddc8c2cb345b8d2b0d27c7621c0066b2000000093b10a189b1522ecb27c4b71169d6935991719fcb3b9256dd4fb42b5109c2b254000000075cb964522ddaab6d4686ab4a2434a73615f426b2ff48eaa981a548c30e462c0b73090b65f463476bf37dc1ae7135b72549f787953470184a9510251cc0d5042 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "39" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "879" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "39" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "102" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "879" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "87" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "147" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "12" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "9" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2724 wrote to memory of 2792 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2724 wrote to memory of 2792 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2724 wrote to memory of 2792 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2724 wrote to memory of 2792 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | philka.ru | udp |
| EE | 46.36.218.110:80 | philka.ru | tcp |
| EE | 46.36.218.110:80 | philka.ru | tcp |
| EE | 46.36.218.110:443 | philka.ru | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.philka.ru | udp |
| EE | 46.36.218.110:80 | www.philka.ru | tcp |
| EE | 46.36.218.110:80 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.212.227:80 | c.pki.goog | tcp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 93.158.134.119:443 | mc.yandex.ru | tcp |
| RU | 93.158.134.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| RU | 87.250.251.119:443 | mc.yandex.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\TarB31E.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\CabB31B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ec56ea1bd48dc7ecf78b3deb4b15d59 |
| SHA1 | cec0808889620d554b39ac7ef8db2f19977a470d |
| SHA256 | e0337d1f720a1939b74c2da0d82922245e6c2e69eaccd4fd8c3229144a103841 |
| SHA512 | a1c76a1e9c793856148a4729512bbab355b9e3ef0abd20660adc58ee829621a656218682870234a095ce8b5b64ef18a1fe4502e5ed66d7b56a221b72f9728c96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 71d7243ecfdf0a78814a4147b4953ced |
| SHA1 | 40d4cb7211493211f615c2cf17d190154793de76 |
| SHA256 | 5af94e8d3d6045085db22dd77a048e9e156f151aa3270124d091aea7cb7d8ce1 |
| SHA512 | b4c1f32a954cde19f5ae55546062865dd2b1b3640bf27559b71529bb1284d5ab39a48dd5be1279d9b89509f07d3c1cddb23ba080b1fa75b121886716ef95bbd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38dc82b45b4ff1e8dbf2bfccffe85755 |
| SHA1 | d4ac37b1d4af08e0fd669eb47ae26c78130fb400 |
| SHA256 | f88bb150aacbceed2de2846bc2e56442c070f1de688c1422837dd40f1236c062 |
| SHA512 | 3e9820cf86f1cf12f7b220ade0e4233ef4cdc989a6cafb95453f36718cb1f1ce0f1f0c0f1b8edd8a5f8aefaa2137b2a1e16d09664fe722f3e727d5c147b9ed10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 4694b641fef54a697121c32a0296a865 |
| SHA1 | cb0ffa51938b25ae8034565da9e17bdbdc640151 |
| SHA256 | 6c3fb1c7b17e4d2f4a562f184de9c561d19f23f51ed30c246180ce8feb2dc9b4 |
| SHA512 | b82c3d2b19c924f7f7c7a30dd99491df18d808acc47d250c59fdcec8337c860a29525bd35b72ef2d0940ce28a706d484d6f3cf3cb61a0dc8fb09bd6a2f07664a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d79f62ef252d7f20182bd0122647436 |
| SHA1 | 6cfbc76d5e5ed71def3649e8c58b64749dfc3441 |
| SHA256 | 1bac69ab4a07faf1e9dcb8fdb18e910d33d77bd638253960d17172a73c8883a2 |
| SHA512 | 372504587c822508d3702273bc342eb33dc7df83d42350b7e9bc53d105e3db521cd857b9d94e61cd9ff5faafce6d51f59a29cfa2c8ff3a47170b6a76e8d63eba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0beda7b35ffdf9a6362171159a321e03 |
| SHA1 | 39f31c0ab65d21382b5b8b92427746f532239c71 |
| SHA256 | b4544225ba09d1c48ac2fb59d03d22a3074c947984d31aaf911314d6dc63ea80 |
| SHA512 | d6a4e57958aceaf9b558a9a6edcafa76a6545d5c370d1ca8c6627c53b0d572415507dac29ff5ed65261648d1542351b83841844f59b775b67910593994b92ff5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 151a84d46c47bb99d8a3344bc910ebf6 |
| SHA1 | 0a5581ed96c95e4b2a257daa2ed9f85729b3337f |
| SHA256 | 79cfb13d647c36c1997674c83a9fcea3f7dec017682374b025cb325890e195d4 |
| SHA512 | 2dbcfbbc51948780e716ef8b32ef6b319198ca41451ad29676c77292eed14482be31d7426fd76cbd267c1ca2b885684af6a09846977ab354fe458e73e08d990c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f194681e59f2ac51d2cd7c55a419aa8e |
| SHA1 | 5d91ce433cc6f359c2a23c9c39e0b18b6131b8a8 |
| SHA256 | 496ae5511d048e558307ab4f564cfa9ee91df461bfc9161212888a3751b9df45 |
| SHA512 | 0edb89c15ad3e47ec48b27de8c138045ce59edbdf400b6fb4855d44bb005f3c31a972fb7e750b45ee7d71b5991d09c9c14fe2def0314b75a96c4125e98cf9abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eef4bf7e2a5c17b139953ef5843c94bb |
| SHA1 | 7779b234b11a9a014d567aeb47821ab710932c98 |
| SHA256 | 289f24b642319561eeb0a5ace40e6c8dfa6e8e94b2457f3a3b320f091ab7b6cb |
| SHA512 | a35c1713fcdcd8edb6ecda1dca70595ccccc80d599a65159217daa3f546014c9f0138d3bf174bb5ccb86ed7558d606016dd33eb4e055598f3b80515cd5c7f4cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22c95f1277d2f760be69e161c67ce49d |
| SHA1 | 162e7f9733ac5047a44cdc1a433935299c98b894 |
| SHA256 | 142205253559825a351e7fd2266946dd7fbf52f7cb2aaf9ace7db94b54030875 |
| SHA512 | 10e96e6cabdc61751574de74cd269c73bf8e568e6b8367d2cc178dab859b8b4bfd3f785f67202b47fb5108bafd31260d4a9d9459d239cac6145c7759fed3d1b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 307a34fd1fa57107a0ecdf2c733bd988 |
| SHA1 | 6e2d2bf6becc07dbe2f5e1ee9cdf35d9d59565a5 |
| SHA256 | 9a6c791857b2dab7114891afadba0f9b933d1d432efdffa2043467333e00e80c |
| SHA512 | a2fb9def70b49c35365542645401831eeba74becd7b33c059f1988029481f50a3317bc6a132d44a6d168f15dbdbba2149dd2008b38169e613ddc0fb70a906015 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 014c364e052572d4d3184ee6c25bfcfc |
| SHA1 | 3356617df04168d1fc1c574a1ec8a3481dffb04e |
| SHA256 | 8b69e92ba7635d6b55c2154f90db8141af8dc93bc8de70fab82de61a1ef2498a |
| SHA512 | 4ed4743f075e7bf1ca8ef67ad11ffd71efc706e63ec65e580c0f2d526c45897a6eac5a72bf65d1002512fa2c67283c094ca089dd4ebcab139ba8a7ca6f3944f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c84706f2705d29dcd56cb44d8b6a74f |
| SHA1 | ce12fc3c949975a1a1714556ae364ff8a0d363c4 |
| SHA256 | 261e5a5f34addbd833a53fb8fdfb9f6802bdb8cb2cbbbe07a5f4dd3922ded343 |
| SHA512 | 01a84c71adbf9eb4a0c6ae62b5a2b5f3382482c8313c95fac596134ff290825f03273be4ada48bdcbbf9211a720c45e3027f55f2a0edb27a359eb591d62e664a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6aa58d0af0eaa869618ba304bb5aa6cd |
| SHA1 | 18c678d1caad04c984dbaa1851e39b3fc9f7d608 |
| SHA256 | 7d6c795816bbd3bc79006e2d3e0a29805b8800010b0b86267b1243f102b91244 |
| SHA512 | 6c3480888d1e1ccfc56f2e668484899ee5af7dbedd70c07d69b273ce6b444315f57c781b0bec6e9f3c76217d6e9e9ef402688fb2ceeafd6c9a1c78ee1b25c6af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb63a5a4afde27388be23ead4ad2c5d8 |
| SHA1 | c0735a253fc2de106834eff204305396f7637955 |
| SHA256 | 7ab47f229093a43f8b7dd4f9fb02d4223cea2f91af14425a5c540b6e7df4bed6 |
| SHA512 | 41cd0c15697e95cba7ed79baab53e8d662539f3b451e68b7b47b38ef193fc82d2ebc47efe3865ba7e5eeded6948be1cfd7ab08961654c815e0f344cc4ce46aae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad3a14fe1e27e2fd9af2c1d36eda7933 |
| SHA1 | 02300049773343812ac5dfab940355aad93ba1ad |
| SHA256 | 71b934bbc665764e3c48577d0a680355ec9c8ea818d6cae87371f8c2f8a0f884 |
| SHA512 | d550fdcc6bb7c3193fa9b0e9682d9e2f0e7b1ec97c69f455dfa8b307cf6093f4237e734964c5e1b8a4c737c900cd9a088c306666e84c660d080bf69ab18bac84 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0734ff6a51027fd120201c793172524e |
| SHA1 | 841465ff76bc30e94848c6ac100a11a940928126 |
| SHA256 | 04b9d95f52f5d5b3a4ee843b0407c62b30cf86645fa55ec67c50c37c21b1ce4b |
| SHA512 | 6dcfa604d047f55fdf47c494f5cb706bfec043e560bc561aff379b47790580411c1a736d9b5a9fcb40c8549788d60867863c1430effc330fd405b54402f8d37a |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml
| MD5 | 226c41f2aaa8dcc59048beb910534ba9 |
| SHA1 | 1025c9850af1880ad9eb8df04399289e6ac28f5d |
| SHA256 | 8cd178467a0afe20ff2c81cacffec986a26da4f26ec27bba6a885c51e70c98f3 |
| SHA512 | 1343b4567a551abc7a8da07a9a16119e57f07212d62166a7e037e17ca6a2d5460144d1ab3be3cd955b4ec1624cdc1ace6edec934b377d9112266a92c1e7f825a |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml
| MD5 | 4d4da3de9ecb9b66b0c36268fc15fff7 |
| SHA1 | 33136f96600419131470bd5238c49e773c7a3e79 |
| SHA256 | 9176d0f0deb9958963c58393e5a5c23f074af5aad3ce52d672ac64f46e6a12ce |
| SHA512 | 114724e3dd8505cdb4bbbaaca1725a2ab9203579d0b7882ee7f048b0f60f9014b70f8d00bfddecaad6d6fe3b0353cee84dae93f2ca940d5194c4af1bd25d0bf2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\favicon[1].svg
| MD5 | 524ffe75b5b1da563ea691499883c518 |
| SHA1 | 41ee38ca71d1b9c3aa91d8d42be8b8d05d1ce18a |
| SHA256 | 5d8a02b80bdc8f8c2df81795c8c019913913b04fc797ec55ee45ead3a46d30fa |
| SHA512 | 2a8f70c3cee5d0db7ce834bf48371f6ba74c5d8a4a83a7a3c5597e1c5a440d438db695cbb3be0d14b284043bbfc6b772bd7555e24b8acd87b4c4ce81a61bcb35 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\favicon[1].ico
| MD5 | 063ea9994b9650e05afa848fbfea8e02 |
| SHA1 | b824f9e6fc88b24066fd64118ed48fa4c38da8e0 |
| SHA256 | 1e467bcc6daa80b2d5bc872edec1138502156fa295465ff81e19fb7cd6d6d916 |
| SHA512 | 2d12ec0ea7fa7aa7588f62c52a0df468bce320416791044fdc05ec7c6477d3ddce5d24d184a0da36ce3fc8dc0cf5010ad6d0aadfcae93a3de0e43c9e9f7e6884 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat
| MD5 | a9d5f9707db5c1266a70e263a76d9375 |
| SHA1 | 6dcb08b8cce2815346c16b7ab967b6ef5669a9d0 |
| SHA256 | 0b6987999869f4a283b1eb56fa617215ebb1473f4df7cd760eb98428da908aef |
| SHA512 | cfabf0f9f1ef1231b2d009fdaf1404040a7ea1b538d6d446298472da87d53f2ca8cbaccd15619970038f64f48dfe64dbc35cbe2c8aa82c7862ac6f36a3258775 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml
| MD5 | 0a08251a318a6566ddc51aae4e0ce56b |
| SHA1 | d960cd7fc886a14c137910063767d36043293595 |
| SHA256 | 083d4cc486a0a520a959965007a3fcc3c3cecc456b2578969158e15cebf4e7cd |
| SHA512 | 70265837c73575ae25159f3c2284110dfb7d8d45102132332af48a99a6c1aa43b44f435085ad8183eca0aef9f1458d3aed878ca3142b6074ad9e1cb546f74e12 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af71b991bf6051b1d0c638d8d0d5fba8 |
| SHA1 | c9dfbe9d85934cdb411d76a1f2ff9733db34dec7 |
| SHA256 | e944a33b6d8adaa41a69f444305e5a74a53b0088e2892ccbcefbb2e6f7cd5fe3 |
| SHA512 | fdbee8e6059a2e49a259173af6c6cbbce025bdbe81e55b3ada855844f648f9b3fabb45bf2068956222718587c3f23b184ab339cddd7cba7961e0421d12542c73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 639674a550720524125123563e213089 |
| SHA1 | 082f582dc8796cfa7bfe1a7fe82a693cbfc7e435 |
| SHA256 | 9c5c4d11fccef4bc01098d9b409b189bb366458573e353727df8a2be2b0327f9 |
| SHA512 | 402ab88a0594b384705904d53a319ea111dced5d441f5bb2ac4fa3c417a57ec3ac3ada425d6223048f937ed5cdd6dc0e5bec540f3eda52cbaf416c91b61338ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 5ba23aa6e0dec1d4414a4aac1efe2eaa |
| SHA1 | e665faf204e955b41638d66a176dce93498cd2c9 |
| SHA256 | 222b4d4993bbed146841563a85b25216819835f756621a2a5dfe9a30b171a0c3 |
| SHA512 | 8f36e2203e8d321f3dc473d1331f8911dc83f7c7ae4c2916999e4b55ca2d850154cd0cc7b76b8f962710f34a2325e63fc4b24f1e3897575fec6329fb2ecfd334 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09f3d3c095dbb30c7a920fc93ce99782 |
| SHA1 | ca506826c99c0f47c830552edbb30e4df9133f42 |
| SHA256 | cdee5f7c7c3db83d37001a6ed75c4effe19332396a729d5fcba389f9e4bfa1d4 |
| SHA512 | a57fa51428a359df4a1735fe6dd08ab2d5719981877cabaebcae34be15a9fbe403c069405c034b615bd83455719d5930fcbb50bc71835d7cf2e0d905769857f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d72fcc41a18cf6a36f7a5d2aa3f96e61 |
| SHA1 | b076c0a3f12a9dd7a13a76172d26d1a51d94ccd6 |
| SHA256 | c8216854a98e8f03137df0e831abe51002485d0981961f771b1dae7e1c0024a0 |
| SHA512 | 25ff343e10f85d035deca1bd34e00cb305194d60119151afbc3568b82e3e4b39740ac6cafe070f31dc9fdbb7e7cc33340942d98e2643f62a5e1d643d098bdd2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d88a04da1f18c99ef51c36154bfdf6ab |
| SHA1 | e1ab94d6624b6053195f6c6ba0e3e3a2cf79dcf7 |
| SHA256 | 5c00992d6b4393e07696badf773944d502c5c7a669add136ed35ff77c66b9519 |
| SHA512 | 6fdfd6f4ac5715221b0ba106d81ab35db1756f4b8b6c1045988d382b5d7c933fc731304cc106a43b213b1c8ae4f8b8eb68f6689a807d07b127ae846e16636fd9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc0b19f8e6e5247d791885697e7ead4f |
| SHA1 | 80745b25debdc49bbe36e7f498ac103f0c797739 |
| SHA256 | f2f0b3d934aa9e191bec69ebe980f16609219c14fb0fe73e5797d2a98639fe2f |
| SHA512 | 66f480d5ac641e9896b184e66cba9f434820ef24531861bb6e13abf7833301d8b510094f93e0e34bd8a99cdaf80de151fe1ec6cfcd09ee84da554fde735ba8d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52896c19628aa4733cfc0a27c597a801 |
| SHA1 | 1e8f7c21115ec81088529896d605e50a1f2d5649 |
| SHA256 | 4e83596e8c06f751c5392d341fc4f243605a5ddbdc0217c075c027cd2de67eab |
| SHA512 | b880a836126a2c40f3083df9d6ee3c2df0edf29fb6b7fbab8c1660750e1ed42ea8bee1f4a1af52f436511629e7d705a5470279e25a00dd0dc4a55929dabf00d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | bc266f8ebde1316fdc370a0f9909f459 |
| SHA1 | bfd5edfd2d55397bff425698079a04f2a37471a1 |
| SHA256 | b6472f5571828e4517e2696434a9762c05ddf95b862ebda97cb798952c64a5cd |
| SHA512 | 99e814920c3b3da78a660810bf9a0d2d83bf5c26e05d0a7202879e2b3219031f7f20a6f41d5f046c915095a299c3097616f322a0644a48bb1495e76a646d1918 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6fa8b22f9cf13d7524a3ce98cd01aa62 |
| SHA1 | 3f34595ceadad982eeb2b61cb93452d90baf37da |
| SHA256 | 7eb6466484e7d83e076296a947c4d7ebf80cf280b390be82515f33b1563cbaee |
| SHA512 | c0bf508b433fa6372fb42d956b0330ef1bece78986466854751462fd508b5508280ede47cc196c32bf19c9ea0d927bfe92e845f9b01fd7bb7ec6656b70055640 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f00a6f96b898172065934c31f2d49fb |
| SHA1 | a0748d7bc61dc70637729f2dcb5775882af0f1c6 |
| SHA256 | fb434099c761d18efb103a590d9da9a97c609e1deac4162b9a50c0f571b1473e |
| SHA512 | c5b6966af2145a1d18ee09625d8713a71972cac5879b96f39bd3aa9eadabbd517801689b1a77c2f8b96c3aa36a28d76a3724fda81178fdbb69b8629e66beb44e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a95bec549159dd20506e72cb9d6774cb |
| SHA1 | e4a2862dc2db0b99bb6dcc178a58d808c1c36a5c |
| SHA256 | 00830235070126a92f43b627f17d03944e105099cab75994a538ce97b5b315b2 |
| SHA512 | 262db217662345f167bc8d83a49cd899f1dd21a3fdefbd133be59e4bd4fc9e45c0d69ce352d1cbd9a7e7af183e8a428d64e943a60a73d37ae9afc7af4f4653fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 05:24
Reported
2024-10-03 05:27
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdeaaf46f8,0x7ffdeaaf4708,0x7ffdeaaf4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | philka.ru | udp |
| EE | 46.36.218.110:80 | philka.ru | tcp |
| EE | 46.36.218.110:443 | philka.ru | tcp |
| US | 8.8.8.8:53 | 110.218.36.46.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.philka.ru | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| EE | 46.36.218.110:80 | www.philka.ru | tcp |
| EE | 46.36.218.110:80 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| EE | 46.36.218.110:443 | www.philka.ru | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| US | 8.8.8.8:53 | 229.193.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 200.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| RU | 87.250.251.119:443 | mc.yandex.ru | tcp |
| RU | 87.250.251.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | 119.251.250.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.yandex.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 38f59a47b777f2fc52088e96ffb2baaf |
| SHA1 | 267224482588b41a96d813f6d9e9d924867062db |
| SHA256 | 13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b |
| SHA512 | 4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b |
\??\pipe\LOCAL\crashpad_208_RKEYYHLGAXDFULXO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ab8ce148cb7d44f709fb1c460d03e1b0 |
| SHA1 | 44d15744015155f3e74580c93317e12d2cc0f859 |
| SHA256 | 014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff |
| SHA512 | f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0ae6dc9bc40d68ee22f907b3abe54240 |
| SHA1 | 3006dd5ef7f5045bf556f872071cea37e5cd1b02 |
| SHA256 | 0339e223c3738e26bbc65af6cfff277c7b0e5b343b695c661917a9860e2f203a |
| SHA512 | 0b963cce8780b929f166041d137ea7f3bf3a8443058184c73ad33a1532797afd6cbfd4877614eef8f6139d03ad530e12389d5f6deae82bb661efd7409f31b857 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2e582bbb40af6ba51e251733ab06342e |
| SHA1 | d8459e689d59d45c7cf1514574dbea1a204c223a |
| SHA256 | 7c0e8e0da4153d1a165a504d11463b35586fd0d1f9089eacdbaf4c60f3915d8c |
| SHA512 | 26a4beae2d37524a04183e444a93f784349a43bd42e1ade7d3cba486b27dcf5544a128e41cd1e90c503eff0f9a0321a020d5abc0e9fcf191c6ae9b1c324a64bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ff8661a0b979c24d1e863fa7c5f8605f |
| SHA1 | eca41e1c3a387970b1e415e415a72a5b10117ec9 |
| SHA256 | 9e6c9f5579959f287f8a094d111d7d2191ae1df5081171034950650e4d7e955a |
| SHA512 | ce9e9edaafabe570c2ea68d46ceb6992396ca69e4c79df44d231cc38654725e6181674f8de26fc6391fd231ef26fb60b295f8429269d2d030446e2430ddd6ed1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f6bf6aec7b1ee619ff2cc22abf8e7639 |
| SHA1 | 02c9284459459786e0e9436d002619491e2ca466 |
| SHA256 | 59a673a99c0002e143ca542a10cf6168d5a9d17e2ab33ad0fc3afbaed96d9946 |
| SHA512 | 4689020fe27328df6751f28f2a46b35e550046fd47a33a555646f315bddeb6bcb70f808b8cc6706c05c1c9d64afc25219da2e55cffc890ba4daaaa24de6f839e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d755.TMP
| MD5 | 518ea8a69c9be5f808218976e2dcdc34 |
| SHA1 | 3a13ab4332085abc9c57e6510478f40e9fc5016d |
| SHA256 | 9d0fb3663abbe2e1217e9bd29417ff94667f164ca88e3da921ff4eb2540c4d4e |
| SHA512 | 7a739142e795581108411d5571528454c331a121e581fc76f1c16be80502d3a6a92713921b6454c40f5dc2e88217ca9dd2a1d968eaf13812c7c3d79359f3565d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 491ee33aa20798ccc6e8560dd7909191 |
| SHA1 | 01acd7d9ed4ea19f651c7c72252ead160159aaaa |
| SHA256 | 81b6d6f802904773fb8ccd8b9769f917c76f3ef710498584faf1620c537eb52d |
| SHA512 | 8357b3ccacd0e25e44a5bac38f0cbc9fccaa61401f696d98425f41f2f005240620ebd61181adef84ec2ac44f5fd1676c2e64e4adfe9efbfcd6806a8dcf276557 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6d6403d4534c1e7dd1656680c5c5f61b |
| SHA1 | 6616b8d9a717f1e9b171496dea89c31f741312c8 |
| SHA256 | 81d9d1d241c4364d6fde8487d4602eae0b5f93740a8628c6701ad99264521df7 |
| SHA512 | 2d9545ba98bbb04eb2681bb3201a37ce61171dc82edd9d87ee26aeff3977d45e6b169d2abf3bcb2c656110e66b4bd4e11bf2d4f6dcee1e3918dd9fee82124cf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 03e794435bb0aa59a4ccb5685279ea49 |
| SHA1 | 059673933e6c04fbf82591ef78c30bca83ab3c66 |
| SHA256 | 9f23aeb8371b9382625bd8951e3b9a744273d097fc050700fe01acbdb4fc95e3 |
| SHA512 | bf3f8004fd725a072c54104f67e85bd9eb88d4556aee5cc670b89780803bd652d8e9772d8fa11ee9c3de0dd671373446893c548f4b353252fde39ec6bcc8bae2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2507a9717b945348a3501c76774a2805 |
| SHA1 | 29b2bd310babe064657b431428004fbc8cbc191f |
| SHA256 | 6218910bfe1130eb74ad13d67cb462a54c6d29afc600d0b06bab39974afd6639 |
| SHA512 | 2df7c32bdb4d5101b1f36cc9a5d308a8e56e5db7200b82435fa717312c03a8a20dae249a826b848119c1b7787ec353ab78ebdd312263e4d7dfc1c6cf18327c7a |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-03 05:24
Reported
2024-10-03 05:25
Platform
win7-20240903-en
Max time kernel
35s
Max time network
40s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| N/A | N/A | C:\bootsect.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\bootsect.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\compact.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA"
C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "shutdown -r -t 0"
C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 31.170.165.244:21 | tcp | |
| US | 31.170.165.244:21 | tcp |
Files
memory/2692-0-0x0000000000400000-0x000000000082D000-memory.dmp
\Users\Admin\AppData\Local\Temp\Windows Loader.exe
| MD5 | 3976bd5fcbb7cd13f0c12bb69afc2adc |
| SHA1 | 3b6bdca414a53df7c8c5096b953c4df87a1091c7 |
| SHA256 | bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40 |
| SHA512 | 0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341 |
memory/2692-6-0x0000000003990000-0x0000000003BB3000-memory.dmp
memory/1384-8-0x0000000000400000-0x0000000000623000-memory.dmp
memory/1384-10-0x0000000000280000-0x0000000000293000-memory.dmp
memory/1384-71-0x00000000024E0000-0x000000000267A000-memory.dmp
memory/1384-63-0x00000000003D0000-0x00000000003F0000-memory.dmp
memory/1384-55-0x00000000003C0000-0x00000000003D0000-memory.dmp
memory/1384-47-0x00000000003B0000-0x00000000003C0000-memory.dmp
memory/1384-39-0x0000000000390000-0x00000000003A1000-memory.dmp
memory/1384-31-0x0000000010000000-0x0000000010021000-memory.dmp
memory/1384-23-0x00000000002F0000-0x0000000000302000-memory.dmp
memory/1384-18-0x00000000002E0000-0x00000000002F0000-memory.dmp
memory/2692-73-0x0000000000400000-0x000000000082D000-memory.dmp
memory/2692-74-0x0000000003990000-0x0000000003BB3000-memory.dmp
memory/1384-77-0x0000000000400000-0x0000000000623000-memory.dmp
C:\Acer.XRM-MS
| MD5 | f25832af6a684360950dbb15589de34a |
| SHA1 | 17ff1d21005c1695ae3dcbdc3435017c895fff5d |
| SHA256 | 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f |
| SHA512 | e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f |
memory/1384-80-0x0000000000400000-0x0000000000623000-memory.dmp
\??\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA
| MD5 | 40887cbeb9f9dfea92b34f6976dbc75b |
| SHA1 | cf448ff6b7d1b1dd9145acbf56c545406d1c6e52 |
| SHA256 | 960b88a8ade6adf2fce1cec8406cd2b640bcc276a45da2bb406c1fc92c70e1b5 |
| SHA512 | 56e1c4a0bba724db447db0242f8b91771af0bb0dba922141d8928e34c769fa4e243b5136c54f951372af9fb58e4d823407752c8ad9d054bf0b5bbf9044bd2566 |
C:\bootsect.exe
| MD5 | 40234e01f0e94ca61611c58890d506ba |
| SHA1 | 26c2aa80fd2c43b525b0b7e153f36e24bfb72977 |
| SHA256 | c822016f9c4bd1438d813e440e02975637abe89b71a75508fb6b92a784e5a117 |
| SHA512 | 6e12b4fb1e78585f9fcb9bd673f30bd8e88dbfe069785f91cdc8acaeef72ab0df29918574895d98ec94cf62e9a1f9a11c42701b8180e0e28e2ffdcfe3e945190 |
memory/1384-95-0x0000000000400000-0x0000000000623000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-03 05:24
Reported
2024-10-03 05:27
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe |
| PID 2068 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe |
| PID 2068 wrote to memory of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe | C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 31.170.165.244:21 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2068-0-0x0000000000400000-0x000000000082D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
| MD5 | 3976bd5fcbb7cd13f0c12bb69afc2adc |
| SHA1 | 3b6bdca414a53df7c8c5096b953c4df87a1091c7 |
| SHA256 | bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40 |
| SHA512 | 0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341 |
memory/216-12-0x0000000000400000-0x0000000000623000-memory.dmp
memory/216-27-0x0000000002530000-0x00000000026CA000-memory.dmp
memory/216-26-0x0000000002A90000-0x0000000002AA2000-memory.dmp
memory/216-35-0x0000000010000000-0x0000000010021000-memory.dmp
memory/216-21-0x0000000000B30000-0x0000000000B40000-memory.dmp
memory/216-13-0x0000000002A70000-0x0000000002A83000-memory.dmp
memory/216-43-0x0000000002DF0000-0x0000000002E01000-memory.dmp
memory/216-67-0x0000000002E30000-0x0000000002E50000-memory.dmp
memory/216-59-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/216-51-0x0000000002E10000-0x0000000002E20000-memory.dmp
memory/2068-75-0x0000000000400000-0x000000000082D000-memory.dmp
memory/216-77-0x0000000000400000-0x0000000000623000-memory.dmp