Malware Analysis Report

2024-12-07 14:55

Sample ID 241003-f363lswhml
Target 0e1fcae1d1369a8a1e87eae3287b97cc_JaffaCakes118
SHA256 3f518b753770e92d4300efcac94c41c4957becefd19363f1cbe5d4c27fccfd31
Tags
discovery exploit upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3f518b753770e92d4300efcac94c41c4957becefd19363f1cbe5d4c27fccfd31

Threat Level: Likely malicious

The file 0e1fcae1d1369a8a1e87eae3287b97cc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit upx

Possible privilege escalation attempt

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 05:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 05:24

Reported

2024-10-03 05:27

Platform

win7-20240903-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "116" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "147" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "39" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "147" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "59" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "116" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1034" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D251DC41-8147-11EF-8632-EAF933E40231} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "87" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "59" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "102" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434094962" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "59" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "87" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "879" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000d2209f8b93356e084de07e2d3533b947ad44db2e68fb172d1a8b183be7f7d763000000000e80000000020000200000007f5a2fb58098ef665ebf2bb0f4bc234d5ddc8c2cb345b8d2b0d27c7621c0066b2000000093b10a189b1522ecb27c4b71169d6935991719fcb3b9256dd4fb42b5109c2b254000000075cb964522ddaab6d4686ab4a2434a73615f426b2ff48eaa981a548c30e462c0b73090b65f463476bf37dc1ae7135b72549f787953470184a9510251cc0d5042 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "39" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "879" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "39" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "102" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "879" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\ = "87" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "147" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\philka.ru\Total = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 philka.ru udp
EE 46.36.218.110:80 philka.ru tcp
EE 46.36.218.110:80 philka.ru tcp
EE 46.36.218.110:443 philka.ru tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 www.philka.ru udp
EE 46.36.218.110:80 www.philka.ru tcp
EE 46.36.218.110:80 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.212.227:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 93.158.134.119:443 mc.yandex.ru tcp
RU 93.158.134.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 mc.yandex.com udp
RU 87.250.251.119:443 mc.yandex.com tcp
RU 87.250.251.119:443 mc.yandex.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TarB31E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\CabB31B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ec56ea1bd48dc7ecf78b3deb4b15d59
SHA1 cec0808889620d554b39ac7ef8db2f19977a470d
SHA256 e0337d1f720a1939b74c2da0d82922245e6c2e69eaccd4fd8c3229144a103841
SHA512 a1c76a1e9c793856148a4729512bbab355b9e3ef0abd20660adc58ee829621a656218682870234a095ce8b5b64ef18a1fe4502e5ed66d7b56a221b72f9728c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71d7243ecfdf0a78814a4147b4953ced
SHA1 40d4cb7211493211f615c2cf17d190154793de76
SHA256 5af94e8d3d6045085db22dd77a048e9e156f151aa3270124d091aea7cb7d8ce1
SHA512 b4c1f32a954cde19f5ae55546062865dd2b1b3640bf27559b71529bb1284d5ab39a48dd5be1279d9b89509f07d3c1cddb23ba080b1fa75b121886716ef95bbd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38dc82b45b4ff1e8dbf2bfccffe85755
SHA1 d4ac37b1d4af08e0fd669eb47ae26c78130fb400
SHA256 f88bb150aacbceed2de2846bc2e56442c070f1de688c1422837dd40f1236c062
SHA512 3e9820cf86f1cf12f7b220ade0e4233ef4cdc989a6cafb95453f36718cb1f1ce0f1f0c0f1b8edd8a5f8aefaa2137b2a1e16d09664fe722f3e727d5c147b9ed10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 4694b641fef54a697121c32a0296a865
SHA1 cb0ffa51938b25ae8034565da9e17bdbdc640151
SHA256 6c3fb1c7b17e4d2f4a562f184de9c561d19f23f51ed30c246180ce8feb2dc9b4
SHA512 b82c3d2b19c924f7f7c7a30dd99491df18d808acc47d250c59fdcec8337c860a29525bd35b72ef2d0940ce28a706d484d6f3cf3cb61a0dc8fb09bd6a2f07664a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d79f62ef252d7f20182bd0122647436
SHA1 6cfbc76d5e5ed71def3649e8c58b64749dfc3441
SHA256 1bac69ab4a07faf1e9dcb8fdb18e910d33d77bd638253960d17172a73c8883a2
SHA512 372504587c822508d3702273bc342eb33dc7df83d42350b7e9bc53d105e3db521cd857b9d94e61cd9ff5faafce6d51f59a29cfa2c8ff3a47170b6a76e8d63eba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0beda7b35ffdf9a6362171159a321e03
SHA1 39f31c0ab65d21382b5b8b92427746f532239c71
SHA256 b4544225ba09d1c48ac2fb59d03d22a3074c947984d31aaf911314d6dc63ea80
SHA512 d6a4e57958aceaf9b558a9a6edcafa76a6545d5c370d1ca8c6627c53b0d572415507dac29ff5ed65261648d1542351b83841844f59b775b67910593994b92ff5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 151a84d46c47bb99d8a3344bc910ebf6
SHA1 0a5581ed96c95e4b2a257daa2ed9f85729b3337f
SHA256 79cfb13d647c36c1997674c83a9fcea3f7dec017682374b025cb325890e195d4
SHA512 2dbcfbbc51948780e716ef8b32ef6b319198ca41451ad29676c77292eed14482be31d7426fd76cbd267c1ca2b885684af6a09846977ab354fe458e73e08d990c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f194681e59f2ac51d2cd7c55a419aa8e
SHA1 5d91ce433cc6f359c2a23c9c39e0b18b6131b8a8
SHA256 496ae5511d048e558307ab4f564cfa9ee91df461bfc9161212888a3751b9df45
SHA512 0edb89c15ad3e47ec48b27de8c138045ce59edbdf400b6fb4855d44bb005f3c31a972fb7e750b45ee7d71b5991d09c9c14fe2def0314b75a96c4125e98cf9abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eef4bf7e2a5c17b139953ef5843c94bb
SHA1 7779b234b11a9a014d567aeb47821ab710932c98
SHA256 289f24b642319561eeb0a5ace40e6c8dfa6e8e94b2457f3a3b320f091ab7b6cb
SHA512 a35c1713fcdcd8edb6ecda1dca70595ccccc80d599a65159217daa3f546014c9f0138d3bf174bb5ccb86ed7558d606016dd33eb4e055598f3b80515cd5c7f4cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22c95f1277d2f760be69e161c67ce49d
SHA1 162e7f9733ac5047a44cdc1a433935299c98b894
SHA256 142205253559825a351e7fd2266946dd7fbf52f7cb2aaf9ace7db94b54030875
SHA512 10e96e6cabdc61751574de74cd269c73bf8e568e6b8367d2cc178dab859b8b4bfd3f785f67202b47fb5108bafd31260d4a9d9459d239cac6145c7759fed3d1b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 307a34fd1fa57107a0ecdf2c733bd988
SHA1 6e2d2bf6becc07dbe2f5e1ee9cdf35d9d59565a5
SHA256 9a6c791857b2dab7114891afadba0f9b933d1d432efdffa2043467333e00e80c
SHA512 a2fb9def70b49c35365542645401831eeba74becd7b33c059f1988029481f50a3317bc6a132d44a6d168f15dbdbba2149dd2008b38169e613ddc0fb70a906015

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 014c364e052572d4d3184ee6c25bfcfc
SHA1 3356617df04168d1fc1c574a1ec8a3481dffb04e
SHA256 8b69e92ba7635d6b55c2154f90db8141af8dc93bc8de70fab82de61a1ef2498a
SHA512 4ed4743f075e7bf1ca8ef67ad11ffd71efc706e63ec65e580c0f2d526c45897a6eac5a72bf65d1002512fa2c67283c094ca089dd4ebcab139ba8a7ca6f3944f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c84706f2705d29dcd56cb44d8b6a74f
SHA1 ce12fc3c949975a1a1714556ae364ff8a0d363c4
SHA256 261e5a5f34addbd833a53fb8fdfb9f6802bdb8cb2cbbbe07a5f4dd3922ded343
SHA512 01a84c71adbf9eb4a0c6ae62b5a2b5f3382482c8313c95fac596134ff290825f03273be4ada48bdcbbf9211a720c45e3027f55f2a0edb27a359eb591d62e664a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aa58d0af0eaa869618ba304bb5aa6cd
SHA1 18c678d1caad04c984dbaa1851e39b3fc9f7d608
SHA256 7d6c795816bbd3bc79006e2d3e0a29805b8800010b0b86267b1243f102b91244
SHA512 6c3480888d1e1ccfc56f2e668484899ee5af7dbedd70c07d69b273ce6b444315f57c781b0bec6e9f3c76217d6e9e9ef402688fb2ceeafd6c9a1c78ee1b25c6af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb63a5a4afde27388be23ead4ad2c5d8
SHA1 c0735a253fc2de106834eff204305396f7637955
SHA256 7ab47f229093a43f8b7dd4f9fb02d4223cea2f91af14425a5c540b6e7df4bed6
SHA512 41cd0c15697e95cba7ed79baab53e8d662539f3b451e68b7b47b38ef193fc82d2ebc47efe3865ba7e5eeded6948be1cfd7ab08961654c815e0f344cc4ce46aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad3a14fe1e27e2fd9af2c1d36eda7933
SHA1 02300049773343812ac5dfab940355aad93ba1ad
SHA256 71b934bbc665764e3c48577d0a680355ec9c8ea818d6cae87371f8c2f8a0f884
SHA512 d550fdcc6bb7c3193fa9b0e9682d9e2f0e7b1ec97c69f455dfa8b307cf6093f4237e734964c5e1b8a4c737c900cd9a088c306666e84c660d080bf69ab18bac84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0734ff6a51027fd120201c793172524e
SHA1 841465ff76bc30e94848c6ac100a11a940928126
SHA256 04b9d95f52f5d5b3a4ee843b0407c62b30cf86645fa55ec67c50c37c21b1ce4b
SHA512 6dcfa604d047f55fdf47c494f5cb706bfec043e560bc561aff379b47790580411c1a736d9b5a9fcb40c8549788d60867863c1430effc330fd405b54402f8d37a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml

MD5 226c41f2aaa8dcc59048beb910534ba9
SHA1 1025c9850af1880ad9eb8df04399289e6ac28f5d
SHA256 8cd178467a0afe20ff2c81cacffec986a26da4f26ec27bba6a885c51e70c98f3
SHA512 1343b4567a551abc7a8da07a9a16119e57f07212d62166a7e037e17ca6a2d5460144d1ab3be3cd955b4ec1624cdc1ace6edec934b377d9112266a92c1e7f825a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml

MD5 4d4da3de9ecb9b66b0c36268fc15fff7
SHA1 33136f96600419131470bd5238c49e773c7a3e79
SHA256 9176d0f0deb9958963c58393e5a5c23f074af5aad3ce52d672ac64f46e6a12ce
SHA512 114724e3dd8505cdb4bbbaaca1725a2ab9203579d0b7882ee7f048b0f60f9014b70f8d00bfddecaad6d6fe3b0353cee84dae93f2ca940d5194c4af1bd25d0bf2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F91VN88R\favicon[1].svg

MD5 524ffe75b5b1da563ea691499883c518
SHA1 41ee38ca71d1b9c3aa91d8d42be8b8d05d1ce18a
SHA256 5d8a02b80bdc8f8c2df81795c8c019913913b04fc797ec55ee45ead3a46d30fa
SHA512 2a8f70c3cee5d0db7ce834bf48371f6ba74c5d8a4a83a7a3c5597e1c5a440d438db695cbb3be0d14b284043bbfc6b772bd7555e24b8acd87b4c4ce81a61bcb35

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\favicon[1].ico

MD5 063ea9994b9650e05afa848fbfea8e02
SHA1 b824f9e6fc88b24066fd64118ed48fa4c38da8e0
SHA256 1e467bcc6daa80b2d5bc872edec1138502156fa295465ff81e19fb7cd6d6d916
SHA512 2d12ec0ea7fa7aa7588f62c52a0df468bce320416791044fdc05ec7c6477d3ddce5d24d184a0da36ce3fc8dc0cf5010ad6d0aadfcae93a3de0e43c9e9f7e6884

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat

MD5 a9d5f9707db5c1266a70e263a76d9375
SHA1 6dcb08b8cce2815346c16b7ab967b6ef5669a9d0
SHA256 0b6987999869f4a283b1eb56fa617215ebb1473f4df7cd760eb98428da908aef
SHA512 cfabf0f9f1ef1231b2d009fdaf1404040a7ea1b538d6d446298472da87d53f2ca8cbaccd15619970038f64f48dfe64dbc35cbe2c8aa82c7862ac6f36a3258775

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\XB0UCB2W\philka[1].xml

MD5 0a08251a318a6566ddc51aae4e0ce56b
SHA1 d960cd7fc886a14c137910063767d36043293595
SHA256 083d4cc486a0a520a959965007a3fcc3c3cecc456b2578969158e15cebf4e7cd
SHA512 70265837c73575ae25159f3c2284110dfb7d8d45102132332af48a99a6c1aa43b44f435085ad8183eca0aef9f1458d3aed878ca3142b6074ad9e1cb546f74e12

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af71b991bf6051b1d0c638d8d0d5fba8
SHA1 c9dfbe9d85934cdb411d76a1f2ff9733db34dec7
SHA256 e944a33b6d8adaa41a69f444305e5a74a53b0088e2892ccbcefbb2e6f7cd5fe3
SHA512 fdbee8e6059a2e49a259173af6c6cbbce025bdbe81e55b3ada855844f648f9b3fabb45bf2068956222718587c3f23b184ab339cddd7cba7961e0421d12542c73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 639674a550720524125123563e213089
SHA1 082f582dc8796cfa7bfe1a7fe82a693cbfc7e435
SHA256 9c5c4d11fccef4bc01098d9b409b189bb366458573e353727df8a2be2b0327f9
SHA512 402ab88a0594b384705904d53a319ea111dced5d441f5bb2ac4fa3c417a57ec3ac3ada425d6223048f937ed5cdd6dc0e5bec540f3eda52cbaf416c91b61338ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5ba23aa6e0dec1d4414a4aac1efe2eaa
SHA1 e665faf204e955b41638d66a176dce93498cd2c9
SHA256 222b4d4993bbed146841563a85b25216819835f756621a2a5dfe9a30b171a0c3
SHA512 8f36e2203e8d321f3dc473d1331f8911dc83f7c7ae4c2916999e4b55ca2d850154cd0cc7b76b8f962710f34a2325e63fc4b24f1e3897575fec6329fb2ecfd334

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09f3d3c095dbb30c7a920fc93ce99782
SHA1 ca506826c99c0f47c830552edbb30e4df9133f42
SHA256 cdee5f7c7c3db83d37001a6ed75c4effe19332396a729d5fcba389f9e4bfa1d4
SHA512 a57fa51428a359df4a1735fe6dd08ab2d5719981877cabaebcae34be15a9fbe403c069405c034b615bd83455719d5930fcbb50bc71835d7cf2e0d905769857f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d72fcc41a18cf6a36f7a5d2aa3f96e61
SHA1 b076c0a3f12a9dd7a13a76172d26d1a51d94ccd6
SHA256 c8216854a98e8f03137df0e831abe51002485d0981961f771b1dae7e1c0024a0
SHA512 25ff343e10f85d035deca1bd34e00cb305194d60119151afbc3568b82e3e4b39740ac6cafe070f31dc9fdbb7e7cc33340942d98e2643f62a5e1d643d098bdd2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d88a04da1f18c99ef51c36154bfdf6ab
SHA1 e1ab94d6624b6053195f6c6ba0e3e3a2cf79dcf7
SHA256 5c00992d6b4393e07696badf773944d502c5c7a669add136ed35ff77c66b9519
SHA512 6fdfd6f4ac5715221b0ba106d81ab35db1756f4b8b6c1045988d382b5d7c933fc731304cc106a43b213b1c8ae4f8b8eb68f6689a807d07b127ae846e16636fd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc0b19f8e6e5247d791885697e7ead4f
SHA1 80745b25debdc49bbe36e7f498ac103f0c797739
SHA256 f2f0b3d934aa9e191bec69ebe980f16609219c14fb0fe73e5797d2a98639fe2f
SHA512 66f480d5ac641e9896b184e66cba9f434820ef24531861bb6e13abf7833301d8b510094f93e0e34bd8a99cdaf80de151fe1ec6cfcd09ee84da554fde735ba8d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52896c19628aa4733cfc0a27c597a801
SHA1 1e8f7c21115ec81088529896d605e50a1f2d5649
SHA256 4e83596e8c06f751c5392d341fc4f243605a5ddbdc0217c075c027cd2de67eab
SHA512 b880a836126a2c40f3083df9d6ee3c2df0edf29fb6b7fbab8c1660750e1ed42ea8bee1f4a1af52f436511629e7d705a5470279e25a00dd0dc4a55929dabf00d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 bc266f8ebde1316fdc370a0f9909f459
SHA1 bfd5edfd2d55397bff425698079a04f2a37471a1
SHA256 b6472f5571828e4517e2696434a9762c05ddf95b862ebda97cb798952c64a5cd
SHA512 99e814920c3b3da78a660810bf9a0d2d83bf5c26e05d0a7202879e2b3219031f7f20a6f41d5f046c915095a299c3097616f322a0644a48bb1495e76a646d1918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fa8b22f9cf13d7524a3ce98cd01aa62
SHA1 3f34595ceadad982eeb2b61cb93452d90baf37da
SHA256 7eb6466484e7d83e076296a947c4d7ebf80cf280b390be82515f33b1563cbaee
SHA512 c0bf508b433fa6372fb42d956b0330ef1bece78986466854751462fd508b5508280ede47cc196c32bf19c9ea0d927bfe92e845f9b01fd7bb7ec6656b70055640

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f00a6f96b898172065934c31f2d49fb
SHA1 a0748d7bc61dc70637729f2dcb5775882af0f1c6
SHA256 fb434099c761d18efb103a590d9da9a97c609e1deac4162b9a50c0f571b1473e
SHA512 c5b6966af2145a1d18ee09625d8713a71972cac5879b96f39bd3aa9eadabbd517801689b1a77c2f8b96c3aa36a28d76a3724fda81178fdbb69b8629e66beb44e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a95bec549159dd20506e72cb9d6774cb
SHA1 e4a2862dc2db0b99bb6dcc178a58d808c1c36a5c
SHA256 00830235070126a92f43b627f17d03944e105099cab75994a538ce97b5b315b2
SHA512 262db217662345f167bc8d83a49cd899f1dd21a3fdefbd133be59e4bd4fc9e45c0d69ce352d1cbd9a7e7af183e8a428d64e943a60a73d37ae9afc7af4f4653fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 05:24

Reported

2024-10-03 05:27

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 3448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3448 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 5028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 208 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\PHILka.RU.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdeaaf46f8,0x7ffdeaaf4708,0x7ffdeaaf4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,11934289174147201109,1401159705334803478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 philka.ru udp
EE 46.36.218.110:80 philka.ru tcp
EE 46.36.218.110:443 philka.ru tcp
US 8.8.8.8:53 110.218.36.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 www.philka.ru udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
EE 46.36.218.110:80 www.philka.ru tcp
EE 46.36.218.110:80 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
EE 46.36.218.110:443 www.philka.ru tcp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 229.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 178.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 200.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
RU 87.250.251.119:443 mc.yandex.ru tcp
RU 87.250.251.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 119.251.250.87.in-addr.arpa udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 38f59a47b777f2fc52088e96ffb2baaf
SHA1 267224482588b41a96d813f6d9e9d924867062db
SHA256 13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA512 4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

\??\pipe\LOCAL\crashpad_208_RKEYYHLGAXDFULXO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ab8ce148cb7d44f709fb1c460d03e1b0
SHA1 44d15744015155f3e74580c93317e12d2cc0f859
SHA256 014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512 f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0ae6dc9bc40d68ee22f907b3abe54240
SHA1 3006dd5ef7f5045bf556f872071cea37e5cd1b02
SHA256 0339e223c3738e26bbc65af6cfff277c7b0e5b343b695c661917a9860e2f203a
SHA512 0b963cce8780b929f166041d137ea7f3bf3a8443058184c73ad33a1532797afd6cbfd4877614eef8f6139d03ad530e12389d5f6deae82bb661efd7409f31b857

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2e582bbb40af6ba51e251733ab06342e
SHA1 d8459e689d59d45c7cf1514574dbea1a204c223a
SHA256 7c0e8e0da4153d1a165a504d11463b35586fd0d1f9089eacdbaf4c60f3915d8c
SHA512 26a4beae2d37524a04183e444a93f784349a43bd42e1ade7d3cba486b27dcf5544a128e41cd1e90c503eff0f9a0321a020d5abc0e9fcf191c6ae9b1c324a64bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ff8661a0b979c24d1e863fa7c5f8605f
SHA1 eca41e1c3a387970b1e415e415a72a5b10117ec9
SHA256 9e6c9f5579959f287f8a094d111d7d2191ae1df5081171034950650e4d7e955a
SHA512 ce9e9edaafabe570c2ea68d46ceb6992396ca69e4c79df44d231cc38654725e6181674f8de26fc6391fd231ef26fb60b295f8429269d2d030446e2430ddd6ed1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f6bf6aec7b1ee619ff2cc22abf8e7639
SHA1 02c9284459459786e0e9436d002619491e2ca466
SHA256 59a673a99c0002e143ca542a10cf6168d5a9d17e2ab33ad0fc3afbaed96d9946
SHA512 4689020fe27328df6751f28f2a46b35e550046fd47a33a555646f315bddeb6bcb70f808b8cc6706c05c1c9d64afc25219da2e55cffc890ba4daaaa24de6f839e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d755.TMP

MD5 518ea8a69c9be5f808218976e2dcdc34
SHA1 3a13ab4332085abc9c57e6510478f40e9fc5016d
SHA256 9d0fb3663abbe2e1217e9bd29417ff94667f164ca88e3da921ff4eb2540c4d4e
SHA512 7a739142e795581108411d5571528454c331a121e581fc76f1c16be80502d3a6a92713921b6454c40f5dc2e88217ca9dd2a1d968eaf13812c7c3d79359f3565d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 491ee33aa20798ccc6e8560dd7909191
SHA1 01acd7d9ed4ea19f651c7c72252ead160159aaaa
SHA256 81b6d6f802904773fb8ccd8b9769f917c76f3ef710498584faf1620c537eb52d
SHA512 8357b3ccacd0e25e44a5bac38f0cbc9fccaa61401f696d98425f41f2f005240620ebd61181adef84ec2ac44f5fd1676c2e64e4adfe9efbfcd6806a8dcf276557

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6d6403d4534c1e7dd1656680c5c5f61b
SHA1 6616b8d9a717f1e9b171496dea89c31f741312c8
SHA256 81d9d1d241c4364d6fde8487d4602eae0b5f93740a8628c6701ad99264521df7
SHA512 2d9545ba98bbb04eb2681bb3201a37ce61171dc82edd9d87ee26aeff3977d45e6b169d2abf3bcb2c656110e66b4bd4e11bf2d4f6dcee1e3918dd9fee82124cf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 03e794435bb0aa59a4ccb5685279ea49
SHA1 059673933e6c04fbf82591ef78c30bca83ab3c66
SHA256 9f23aeb8371b9382625bd8951e3b9a744273d097fc050700fe01acbdb4fc95e3
SHA512 bf3f8004fd725a072c54104f67e85bd9eb88d4556aee5cc670b89780803bd652d8e9772d8fa11ee9c3de0dd671373446893c548f4b353252fde39ec6bcc8bae2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2507a9717b945348a3501c76774a2805
SHA1 29b2bd310babe064657b431428004fbc8cbc191f
SHA256 6218910bfe1130eb74ad13d67cb462a54c6d29afc600d0b06bab39974afd6639
SHA512 2df7c32bdb4d5101b1f36cc9a5d308a8e56e5db7200b82435fa717312c03a8a20dae249a826b848119c1b7787ec353ab78ebdd312263e4d7dfc1c6cf18327c7a

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-03 05:24

Reported

2024-10-03 05:25

Platform

win7-20240903-en

Max time kernel

35s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
N/A N/A C:\bootsect.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\bootsect.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\compact.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
PID 2692 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
PID 2692 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
PID 2692 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
PID 1384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2864 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2864 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2864 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1384 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3068 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3068 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3068 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1384 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 832 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 832 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 832 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1384 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2120 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2120 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2120 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1384 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2008 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2008 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1384 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1384 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2328 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2328 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2328 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1384 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 880 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 880 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe

"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA"

C:\Windows\SysWOW64\compact.exe

compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "shutdown -r -t 0"

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 31.170.165.244:21 tcp
US 31.170.165.244:21 tcp

Files

memory/2692-0-0x0000000000400000-0x000000000082D000-memory.dmp

\Users\Admin\AppData\Local\Temp\Windows Loader.exe

MD5 3976bd5fcbb7cd13f0c12bb69afc2adc
SHA1 3b6bdca414a53df7c8c5096b953c4df87a1091c7
SHA256 bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
SHA512 0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

memory/2692-6-0x0000000003990000-0x0000000003BB3000-memory.dmp

memory/1384-8-0x0000000000400000-0x0000000000623000-memory.dmp

memory/1384-10-0x0000000000280000-0x0000000000293000-memory.dmp

memory/1384-71-0x00000000024E0000-0x000000000267A000-memory.dmp

memory/1384-63-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/1384-55-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/1384-47-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/1384-39-0x0000000000390000-0x00000000003A1000-memory.dmp

memory/1384-31-0x0000000010000000-0x0000000010021000-memory.dmp

memory/1384-23-0x00000000002F0000-0x0000000000302000-memory.dmp

memory/1384-18-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/2692-73-0x0000000000400000-0x000000000082D000-memory.dmp

memory/2692-74-0x0000000003990000-0x0000000003BB3000-memory.dmp

memory/1384-77-0x0000000000400000-0x0000000000623000-memory.dmp

C:\Acer.XRM-MS

MD5 f25832af6a684360950dbb15589de34a
SHA1 17ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512 e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

memory/1384-80-0x0000000000400000-0x0000000000623000-memory.dmp

\??\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA

MD5 40887cbeb9f9dfea92b34f6976dbc75b
SHA1 cf448ff6b7d1b1dd9145acbf56c545406d1c6e52
SHA256 960b88a8ade6adf2fce1cec8406cd2b640bcc276a45da2bb406c1fc92c70e1b5
SHA512 56e1c4a0bba724db447db0242f8b91771af0bb0dba922141d8928e34c769fa4e243b5136c54f951372af9fb58e4d823407752c8ad9d054bf0b5bbf9044bd2566

C:\bootsect.exe

MD5 40234e01f0e94ca61611c58890d506ba
SHA1 26c2aa80fd2c43b525b0b7e153f36e24bfb72977
SHA256 c822016f9c4bd1438d813e440e02975637abe89b71a75508fb6b92a784e5a117
SHA512 6e12b4fb1e78585f9fcb9bd673f30bd8e88dbfe069785f91cdc8acaeef72ab0df29918574895d98ec94cf62e9a1f9a11c42701b8180e0e28e2ffdcfe3e945190

memory/1384-95-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-03 05:24

Reported

2024-10-03 05:27

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe

"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 31.170.165.244:21 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2068-0-0x0000000000400000-0x000000000082D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

MD5 3976bd5fcbb7cd13f0c12bb69afc2adc
SHA1 3b6bdca414a53df7c8c5096b953c4df87a1091c7
SHA256 bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
SHA512 0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

memory/216-12-0x0000000000400000-0x0000000000623000-memory.dmp

memory/216-27-0x0000000002530000-0x00000000026CA000-memory.dmp

memory/216-26-0x0000000002A90000-0x0000000002AA2000-memory.dmp

memory/216-35-0x0000000010000000-0x0000000010021000-memory.dmp

memory/216-21-0x0000000000B30000-0x0000000000B40000-memory.dmp

memory/216-13-0x0000000002A70000-0x0000000002A83000-memory.dmp

memory/216-43-0x0000000002DF0000-0x0000000002E01000-memory.dmp

memory/216-67-0x0000000002E30000-0x0000000002E50000-memory.dmp

memory/216-59-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/216-51-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/2068-75-0x0000000000400000-0x000000000082D000-memory.dmp

memory/216-77-0x0000000000400000-0x0000000000623000-memory.dmp