General Info

File name

psiphon3.exe

Full analysis
https://app.any.run/tasks/bcf88bb6-08d2-465c-b000-7b2deffb625b
Verdict
Malicious activity
Analysis date
3/14/2019, 16:37:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

03a796b1cf377e857151727353d3e33c

SHA1

14db38bef5b502d7e0d1f0f318a58a2209e0a144

SHA256

4eb5f85203b0ae38f5d9785b1f28c3fcab144a648e56e87c0677768813046ce8

SSDEEP

98304:EN7MQoVvmCEh0tI+6N+K7P4lPjyCKUYIHXXvj3hdUIuUKQ/3rbzjI8pZV:EN76VvA0tI/NH7AlmfI3Xvj3zj4O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • psiphon-tunnel-core.exe (PID: 2264)
Creates files in the user directory
  • psiphon-tunnel-core.exe (PID: 2264)
  • psiphon3.exe (PID: 3276)
Reads Internet Cache Settings
  • rundll32.exe (PID: 2712)
  • psiphon3.exe (PID: 3276)
Uses RUNDLL32.EXE to load library
  • psiphon3.exe (PID: 3276)
Executable content was dropped or overwritten
  • psiphon3.exe (PID: 3276)
Connects to unusual port
  • psiphon-tunnel-core.exe (PID: 2264)
Starts Internet Explorer
  • psiphon3.exe (PID: 3276)
Reads internet explorer settings
  • psiphon3.exe (PID: 3276)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2688)
Creates files in the user directory
  • iexplore.exe (PID: 2988)
  • iexplore.exe (PID: 2688)
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2288)
Reads internet explorer settings
  • iexplore.exe (PID: 2688)
Application launched itself
  • iexplore.exe (PID: 2988)
Changes internet zones settings
  • iexplore.exe (PID: 2988)
Reads settings of System Certificates
  • iexplore.exe (PID: 2988)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   UPX compressed Win32 Executable (43.5%)
.exe
|   Win32 EXE Yoda's Crypter (42.7%)
.exe
|   Win32 Executable (generic) (7.2%)
.exe
|   Generic Win/DOS Executable (3.2%)
.exe
|   DOS Executable Generic (3.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:03:11 03:54:27+01:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
6029312
InitializedDataSize:
90112
UninitializedDataSize:
11665408
EntryPoint:
0x10e07e0
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
11-Mar-2019 02:54:27
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000118
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
11-Mar-2019 02:54:27
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x00B20000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x00B21000 0x005C0000 0x005BFC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.93021
.rsrc 0x010E1000 0x00016000 0x00015C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.48749
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

131

132

133

146

147

COUNTRY_DIALING_CODES.JSON

BANNER.PNG

FLAGS32.PNG

FLAG_UNKNOWN_32.PNG

FLAG_UNKNOWN_64.PNG

ICOMOON.EOT

LOGO-BW.PNG

LOGO.PNG

MAIN.HTML

Imports
    KERNEL32.DLL

    ADVAPI32.dll

    COMCTL32.dll

    CRYPT32.dll

    GDI32.dll

    ole32.dll

    OLEAUT32.dll

    RASAPI32.dll

    SHELL32.dll

    SHLWAPI.dll

    USER32.dll

    VERSION.dll

    WINHTTP.dll

    WININET.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
38
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

+
drop and start start psiphon3.exe psiphon-tunnel-core.exe rundll32.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3276
CMD
"C:\Users\admin\AppData\Local\Temp\psiphon3.exe"
Path
C:\Users\admin\AppData\Local\Temp\psiphon3.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\vgx\vgx.dll
c:\windows\system32\atl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\windows\system32\d3dim700.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\propsys.dll
c:\program files\internet explorer\iexplore.exe

PID
2264
CMD
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat"
Path
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2712
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

PID
2988
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=4BA4DEF917101460&sponsor=psiphon_bbg&client_region=CH&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2688
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msimtf.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\jscript.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll

PID
2288
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

Registry activity

Total events
649
Read events
524
Write events
122
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipBrowser
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipProxySettings
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipAutoConnect
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableFileTracing
0
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableConsoleTracing
0
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileTracingMask
4294901760
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
ConsoleTracingMask
4294901760
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
MaxFileSize
1048576
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileDirectory
%windir%\tracing
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
NativeProxyInfo
{"proxies":[{"bypass":"","flags":1,"name":"","proxy":""}]}
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableFileTracing
0
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableConsoleTracing
0
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileTracingMask
4294901760
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
ConsoleTracingMask
4294901760
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
MaxFileSize
1048576
3276
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileDirectory
%windir%\tracing
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePrefix
DOMStore
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheLimit
1000
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheOptions
8
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheRepair
0
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en"}
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
PsiphonProxyInfo
{"proxies":[{"bypass":"<local>","flags":2,"name":"","proxy":"http=127.0.0.1:49407;https=127.0.0.1:49407;socks=127.0.0.1:49406"}]}
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
46000000080000000200000040000000687474703D3132372E302E302E313A34393430373B68747470733D3132372E302E302E313A34393430373B736F636B733D3132372E302E302E313A3439343036070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49407;https=127.0.0.1:49407;socks=127.0.0.1:49406
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A0000000200000040000000687474703D3132372E302E302E313A34393430373B68747470733D3132372E302E302E313A34393430373B736F636B733D3132372E302E302E313A3439343036070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B0000000200000040000000687474703D3132372E302E302E313A34393430373B68747470733D3132372E302E302E313A34393430373B736F636B733D3132372E302E302E313A3439343036070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en","AvailableEgressRegions":["AT","BE","BG","CA","CH","CZ","DE","DK","ES","FR","GB","HU","IN","IT","JP","NL","PL","RO","SE","SG","US"]}
3276
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006C0000000200000040000000687474703D3132372E302E302E313A34393430373B68747470733D3132372E302E302E313A34393430373B736F636B733D3132372E302E302E313A3439343036070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49407;https=127.0.0.1:49407;socks=127.0.0.1:49406
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006D0000000200000040000000687474703D3132372E302E302E313A34393430373B68747470733D3132372E302E302E313A34393430373B736F636B733D3132372E302E302E313A3439343036070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{1B0A5E05-466F-11E9-AA93-5254004A04AF}
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E000F0025002B007901
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E000F0025002B007901
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E000F0025002B001502
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
11
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E000F0025002B003502
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
52
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E000F0025002B00C202
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
26
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
2
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307030004000E000F0025002C001303
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
2988
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
2988
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
61F40DDF7BDAD401
2988
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2988
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
24
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\whatismyip.li
24
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
49
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\whatismyip.li
49
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019031420190315
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
2688
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
2688
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829

Files activity

Executable files
1
Suspicious files
0
Text files
35
Unknown types
9

Dropped files

PID
Process
Filename
Type
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
executable
MD5: ac50c0249211009443f0e163c515e0be
SHA256: 2701df5e8e9d49ce04e7f5ce4df14ab6b7c6169e976e8f0b3b6d8134100df25e
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\main[1]
html
MD5: 701a6b90950073d694a9a240ed140952
SHA256: b6ae3f822e2433c1b614869f11a218982fbeb3799b17a868a0d522e38813b8c1
2988
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat
dat
MD5: 62963db4e0258ccb20abc5f01e774a71
SHA256: 155071a31aaacb2fe91a00d2713e3eb386fe873ce332ff686d658b973e445d5e
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019031420190315\index.dat
dat
MD5: 8076df48fe12e57776fd26db1773b9fc
SHA256: a711b6a2b699d7c7e18662d5c7833fd3665b530c031927f2760a4390fc7aa442
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\firebase.notifications.init[1].js
text
MD5: 0424f6b44d04e5b838bf3585c78a7f61
SHA256: 3c056e894c4aeff9c40877c1d7a92b746dd87153acb51a44735e13d158e6aa3b
2688
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 920c3e13e8882550b1841e1070b3cf0b
SHA256: 52aa8081a274295a06ab30df67d92dfa867d6ed2c5995ad04fa75c35505c0043
2688
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2288
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
2688
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TA06771V\whatismyip[1].xml
text
MD5: 715ae0b8e8505d2ad43c2ab7629e2c1b
SHA256: 1f5c056b5034398146150d1930a4e2a504ad310c200d5c9990e3041803d62424
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\f[3].txt
text
MD5: 82bb040bd5729e459f7cc5a09981cc86
SHA256: 0482a98d09daebc18a0d2e1ed8f748da5b0179e61223ed541101df1f4699f073
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\f[2].txt
text
MD5: 82bb040bd5729e459f7cc5a09981cc86
SHA256: 0482a98d09daebc18a0d2e1ed8f748da5b0179e61223ed541101df1f4699f073
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\sky_content_light[1].png
image
MD5: 6002338e17c7a484fbdcf5b941a12214
SHA256: ec6c69329662f458ee7d24892e0a1d2540f16cb375ce5ad972e6a58b5ecd1e8b
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\NGS3v5_NC0k9P9l1aqRMkKo[1].eot
eot
MD5: 65b6c9c9b81c4e91ae05652251daad4f
SHA256: cdb425d2e610ddc90b222e2eb6a4a838bc9414a65304653eb3399e097f49ca0a
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\1Ptug8zYS_SKggPNyC0ISw[1].eot
eot
MD5: b76febefc08cb94a5fd24fa1cecbd382
SHA256: 19f044d90fc9b6870a749bae0387fc2ed2a810869051604f622ea8433e01b8a3
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 6503f7b909d67fb23117a4727aba5f30
SHA256: d44c7a2cc6dee2e5f04c8653028801dbc2af64cbb7b1a4b63fd67d0fdb3b5b8c
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\eye-slash-solid[1].svg
image
MD5: 840854d88ac97a13506c47ef3222cf09
SHA256: 1b9451f35241c667692568e5d5c004a81177cbdec4a30861a7c5103eb5080bbe
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\analytics[1].js
text
MD5: 0ea40a4cb2873a89cbe597eaea860826
SHA256: 3e552578c7d450b023f2cd9d28f830be4335c3acc6c4ab6dadda0769f09e5f22
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\p_icon[1].png
image
MD5: 902d20d8dc9829aff0f8b7db8c8a6da6
SHA256: 4b68751c69ccabff708fa7d42300db5e2539046d79886f119e94495385e9c27c
2688
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TA06771V\whatismyip[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
2688
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat
dat
MD5: 4d798b77d0dc2072c68df6cbc1e1824d
SHA256: 1db8544eb88f4a0742131f9cc3a8148c6d620eb7d088cb21f057db06bd829d81
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\f[1].txt
text
MD5: be6be250d31a29afb18e92d5035fd8b7
SHA256: dc62bf051ccf470862aa8e4e14220710e6cfaca5a62209aae0ad825a904c6d6a
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\app[1].js
text
MD5: 72bfa1f7be392f89e3c24711b6a31f1b
SHA256: 7606b8dd0a5f8d229a765fbcc396f047b2111050f7977ba3e580f30d23b8da1d
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\OpenSans-Regular[1].ttf
ttf
MD5: 629a55a7e793da068dc580d184cc0e31
SHA256: e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\css[1].txt
text
MD5: f2fd6a1c501df259f0bcaea8ea2c898c
SHA256: 0ddf7f81fdd085e8c74f06480730dcf4843090f011314ce2b3fb7687c7cd2708
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\style-black-footer[1].css
text
MD5: 5cf5ea6d4374871d8a6ed1d2722e215c
SHA256: dbd74fdd3154a60bd1e189eb52675a7288764f84cbab7fb922716d72707ce222
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\location_concealment[1].js
text
MD5: 0c5a90b68bd54a7c580a543f40a1e4d9
SHA256: 8d4e4f70dbee652f6a6205322477837341d4a750c03327594af9fe40921840c7
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\wow[1].js
text
MD5: 164b265e6089f412b7927848018ae6a1
SHA256: 81c4cb0bc57b5cce1816bd704f7a2b12ec2b143c6a067402644d4a139b273350
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\animate[1].css
text
MD5: e32406757509a6ac508ef9180712829f
SHA256: b75f6d25cc96d0dc468811273d2107eddb498b79f0b4e66125b459ddf9600ffd
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\psyphon[1].css
text
MD5: c445e4f89908dd252026f492682d9edd
SHA256: 00ff830c28d730e438f969259f2451da818f61c51cfa4ed0c46c3b052084c404
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\app[1].css
text
MD5: bf8191d927b37ed102a71c1f32911bb5
SHA256: 8af95c8dbe698d5b6a615fdc04305b09c7375940f16c821e6297b252bcb3f8ed
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\psiphon1[1].txt
––
MD5:  ––
SHA256:  ––
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\psiphon1[1].htm
html
MD5: 67740f00ca57248d295c1a72117a44d6
SHA256: 782cea1149717dd8f7fe22c108cf989c4de610a914d47899a41084a9f8876819
2688
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: d340c3047836868bb1855442bddc576b
SHA256: 21daa85c5fc924225f86f8c7332e1ba84c12e173d45059e3f34c877ff87e1298
2688
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 14ecd88ef51900b9dd39de40dd29e400
SHA256: 423d9e53d8a397f59a7696465b8b8d363e4a19ed82074f464b729ddb9f3ed122
2688
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2988
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2988
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2988
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\logo[1]
image
MD5: 42b90e10a6a86254d31b696c5d2ec425
SHA256: 4b384b1c9bbeefda045465fc5aede6cce7a0312625bef497fb6c8d5e8c715389
2988
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 83d58e91fc44d2357700be2b5a669849
SHA256: 6fd361a4b4184156b1858ee5e5d0c4867cc89dd7c4d13b94d8734d6c8fe9bd24
3276
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config
text
MD5: 0b6820e1eb84b95f6e62cba4af8cb8aa
SHA256: 61c3d3c2a7c71a85205124060ade1325fb8373b049c9a666b5a5d3d840ededa1
3276
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat
text
MD5: 44f78b6d6df75a5de4f6e24151321e44
SHA256: 972d437cc08da3635a2f44232e4bb1f82ef316268961fef24cbdc335171ea133
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\flag_unknown_32[1]
image
MD5: 0e23864908aa82dcfa6cf76bd308a498
SHA256: 2bf319d0025d275df9da396e238377460d9b562bb2f11bb0d9dab23981e79cfd
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\banner[1]
image
MD5: 08b36b5183a2f59ea4b945e69d1dc56f
SHA256: f1f61a3fde6beaf0f24ac19a729d6e596ab305bdfe2e0f75a69c5157f2495101
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\flags32[1]
image
MD5: 3e6527267c26712bd0cea85727fb07f5
SHA256: bed94eb6c145a484b67f6a8281183cb8fba27e2bd91e1e9c95dd2b843fe87784
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\logo-bw[1]
image
MD5: e3c5eb232471c89b49fa8b3e2ee8f1c2
SHA256: a3d3a9bdd3ce2a712438b0222fa66cf0b998f728fec3a9586b8dac00de4a41dd
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\datED13.tmp
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
3276
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\icomoon[1]
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
2688
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\firebase.notifications[1].js
text
MD5: 24cea24bd6c941d1c006a55c4737b02b
SHA256: 171c4a3b766b16431c79c89449ddead0280392e61e75675252d797703808238c

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
2
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2264 psiphon-tunnel-core.exe POST 200 46.101.199.43:80 http://underfunds.org/ DE
binary
binary
suspicious
2264 psiphon-tunnel-core.exe POST –– 2.16.186.74:80 http://www.yiboomerglobalbarcode.com/ unknown
binary
––
––
whitelisted
2264 psiphon-tunnel-core.exe POST 200 46.101.199.43:80 http://underfunds.org/ DE
binary
binary
suspicious
2264 psiphon-tunnel-core.exe POST –– 46.101.199.43:80 http://underfunds.org/ DE
binary
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2264 psiphon-tunnel-core.exe 2.16.186.49:443 Akamai International B.V. –– whitelisted
2264 psiphon-tunnel-core.exe 195.206.105.198:22 –– unknown
2264 psiphon-tunnel-core.exe 212.227.200.149:443 1&1 Internet SE DE unknown
2264 psiphon-tunnel-core.exe 213.108.108.231:554 Greenhost BV NL unknown
2264 psiphon-tunnel-core.exe 128.127.104.97:443 AltusHost B.V. SE unknown
2264 psiphon-tunnel-core.exe 74.208.81.170:53 1&1 Internet SE US unknown
2264 psiphon-tunnel-core.exe 82.223.54.95:443 1&1 Internet SE ES unknown
2264 psiphon-tunnel-core.exe 194.187.251.178:53 M247 Ltd BE unknown
2264 psiphon-tunnel-core.exe 77.68.40.188:443 1&1 Internet SE GB unknown
2264 psiphon-tunnel-core.exe 46.101.199.43:80 Digital Ocean, Inc. DE suspicious
2264 psiphon-tunnel-core.exe 2.16.186.74:80 Akamai International B.V. –– whitelisted
2264 psiphon-tunnel-core.exe 185.9.19.149:554 M247 Ltd AT unknown

DNS requests

Domain IP Reputation
a542.g.akamai.net 2.16.186.49
2.16.186.64
suspicious
a1616.g.akamai.net 2.16.186.74
2.16.186.67
unknown

Threats

PID Process Class Message
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection
2264 psiphon-tunnel-core.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Psiphon3 VPN connection

Debug output strings

Process Message
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe