| File name: | ZOREEOXK.msi |
| Full analysis: | https://app.any.run/tasks/fe320a26-a4d3-4913-9bba-d402deeb41ee |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | January 15, 2026, 15:27:48 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Prepuce, Author: Catafalque Mallard, Keywords: Installer, Comments: This installer database contains the logic and data required to install Prepuce., Template: Intel;1033, Revision Number: {D1EF5B7A-8EEB-476D-AE13-D711A6266878}, Create Time/Date: Wed Jan 14 14:02:28 2026, Last Saved Time/Date: Wed Jan 14 14:02:28 2026, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
| MD5: | 98C074B69051A0F0387941B6BD34E6E4 |
| SHA1: | 455C845F239CC20D63F923DAA0D160852CF4E24A |
| SHA256: | 518F81A770792404DDB01A52DF41393C6F4181A28D7428C4B91439B3D99470B9 |
| SSDEEP: | 98304:yJcVFDC10JIFaul7p0kYJDj3GXIMIoSlL+BslURQfeXryPspxE1Px7xv77G/Xoos:Jdr |
MALICIOUS
Executing a file with an untrusted certificate
- MegaA.exe (PID: 2708)
HIJACKLOADER has been detected (YARA)
- Infra_Transp.exe (PID: 5740)
- MegaA.exe (PID: 2708)
Connects to the CnC server
- MegaA.exe (PID: 2708)
HIJACKLOADER has been detected (SURICATA)
- MegaA.exe (PID: 2708)
Actions looks like stealing of personal data
- MegaA.exe (PID: 2708)
Steals credentials from Web Browsers
- MegaA.exe (PID: 2708)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 7752)
Executable content was dropped or overwritten
- Infra_Transp.exe (PID: 2256)
- Infra_Transp.exe (PID: 5740)
Starts itself from another location
- Infra_Transp.exe (PID: 2256)
There is functionality for taking screenshot (YARA)
- Infra_Transp.exe (PID: 5740)
Contacting a server suspected of hosting an CnC
- MegaA.exe (PID: 2708)
Connects to unusual port
- MegaA.exe (PID: 2708)
Possible stealing from crypto wallets
- MegaA.exe (PID: 2708)
INFO
The sample compiled with english language support
- msiexec.exe (PID: 7572)
- msiexec.exe (PID: 7704)
- Infra_Transp.exe (PID: 2256)
- Infra_Transp.exe (PID: 5740)
Manages system restore points
- SrTasks.exe (PID: 7440)
Checks supported languages
- msiexec.exe (PID: 7704)
- Infra_Transp.exe (PID: 2256)
- Infra_Transp.exe (PID: 5740)
- MegaA.exe (PID: 2708)
- Crisp.exe (PID: 5512)
Reads the computer name
- msiexec.exe (PID: 7704)
- Infra_Transp.exe (PID: 2256)
- Infra_Transp.exe (PID: 5740)
- MegaA.exe (PID: 2708)
- Crisp.exe (PID: 5512)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7704)
Creates files in the program directory
- Infra_Transp.exe (PID: 2256)
- MegaA.exe (PID: 2708)
Creates files or folders in the user directory
- Infra_Transp.exe (PID: 5740)
Create files in a temporary directory
- Infra_Transp.exe (PID: 5740)
- MegaA.exe (PID: 2708)
- Crisp.exe (PID: 5512)
Reads the machine GUID from the registry
- MegaA.exe (PID: 2708)
Checks proxy server information
- slui.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Installer (100) |
|---|
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Prepuce |
| Author: | Catafalque Mallard |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Prepuce. |
| Template: | Intel;1033 |
| RevisionNumber: | {D1EF5B7A-8EEB-476D-AE13-D711A6266878} |
| CreateDate: | 2026:01:14 14:02:28 |
| ModifyDate: | 2026:01:14 14:02:28 |
| Pages: | 500 |
| Words: | 10 |
| Software: | WiX Toolset (4.0.0.0) |
| Security: | Read-only recommended |
Total processes
166
Monitored processes
10
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2256 | "C:\Users\admin\AppData\Local\Fluorite\Infra_Transp.exe" | C:\Users\admin\AppData\Local\Fluorite\Infra_Transp.exe | msiexec.exe | ||||||||||||
User: admin Company: COMODO Integrity Level: MEDIUM Description: COMODO Internet Security 2025 Exit code: 0 Version: 12, 3, 4, 8162 Modules
| |||||||||||||||
| 2708 | C:\Users\admin\AppData\Local\MegaA.exe | C:\Users\admin\AppData\Local\MegaA.exe | Infra_Transp.exe | ||||||||||||
User: admin Company: Qihoo 360 Technology Co. Ltd. Integrity Level: MEDIUM Description: 360 Total Security Version: 9,0,0,1034 Modules
| |||||||||||||||
| 4040 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5512 | C:\Users\admin\AppData\Roaming\com_ms_worker_v3_x86_lts\Crisp.exe | C:\Users\admin\AppData\Roaming\com_ms_worker_v3_x86_lts\Crisp.exe | — | Infra_Transp.exe | |||||||||||
User: admin Company: Crisp IM SAS Integrity Level: MEDIUM Description: Crisp Exit code: 0 Version: 6.0.68 Modules
| |||||||||||||||
| 5740 | C:\ProgramData\com_ms_worker_v3_x86_lts\Infra_Transp.exe | C:\ProgramData\com_ms_worker_v3_x86_lts\Infra_Transp.exe | Infra_Transp.exe | ||||||||||||
User: admin Company: COMODO Integrity Level: MEDIUM Description: COMODO Internet Security 2025 Exit code: 0 Version: 12, 3, 4, 8162 Modules
| |||||||||||||||
| 7440 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7464 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7572 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\ZOREEOXK.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7704 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7752 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 539
Read events
5 382
Write events
148
Delete events
9
Modification events
| (PID) Process: | (7704) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 48000000000000002E61AA853386DC01181E0000381E0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7704) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 48000000000000002E61AA853386DC01181E0000381E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7704) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000859802863386DC01181E0000381E0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7704) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 15 | |||
| (PID) Process: | (7704) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000006ED21C863386DC01181E0000D41E0000E8030000010000000000000000000000D8459690D460D9409200C0E5E71A920D00000000000000000000000000000000 | |||
| (PID) Process: | (7752) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000545B26863386DC01481E0000741E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7752) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000091BD28863386DC01481E0000F01E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7752) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 480000000000000091BD28863386DC01481E0000781E0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7752) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7752) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 48000000000000004E822D863386DC01481E0000781E0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
8
Suspicious files
28
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7704 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 7704 | msiexec.exe | C:\Windows\Installer\100a72.msi | — | |
MD5:— | SHA256:— | |||
| 7704 | msiexec.exe | C:\Windows\Installer\100a74.msi | — | |
MD5:— | SHA256:— | |||
| 7704 | msiexec.exe | C:\Windows\Temp\~DF5185055B3E1F2C1A.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 7704 | msiexec.exe | C:\Windows\Installer\MSIB2D.tmp | binary | |
MD5:2AACC3B0DC64F9A341E8577787A890F7 | SHA256:D4A2C559ED3372C7351BE96A35FEAEE9BDE69480906E68E2FCCD0E3A8E27254E | |||
| 7704 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{909645d8-60d4-40d9-9200-c0e5e71a920d}_OnDiskSnapshotProp | binary | |
MD5:6E1513C249860B4EAB714CF22752E773 | SHA256:5E2CCAAD2CED0C753FBC3D6057B72237F2C7EE3D9567DE19B3AB499C5655E0E4 | |||
| 7704 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:6E1513C249860B4EAB714CF22752E773 | SHA256:5E2CCAAD2CED0C753FBC3D6057B72237F2C7EE3D9567DE19B3AB499C5655E0E4 | |||
| 7704 | msiexec.exe | C:\Windows\Temp\~DF9D1C3D173019E673.TMP | binary | |
MD5:88966CC64D79E40553F4E957E6CBD438 | SHA256:C02C78DDD2DE4DBCFD39505728B8B5FAD0BEE498A73BC338B5BBBD6FC13E0DFC | |||
| 7704 | msiexec.exe | C:\Users\admin\AppData\Local\Fluorite\cmdres.DLL | executable | |
MD5:FF43FD01F2D5C1BA9F83281D0AE51E05 | SHA256:F2950699D233A0A3D5C970D83584CB06E2ADA5D42389A52D709D7A5DEA92DC71 | |||
| 7704 | msiexec.exe | C:\Users\admin\AppData\Local\Fluorite\Plourheamkroub.ywr | binary | |
MD5:12B0411BDF3B4090A32F4B77DF2E79CA | SHA256:BCD85A002245E0B78B6C78520C7A135CEF33919F5655FB68F450799AF9A430CA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
251
TCP/UDP connections
61
DNS requests
23
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 304 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | US | — | — | whitelisted |
5080 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
8040 | SIHClient.exe | GET | 200 | 52.165.164.15:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
5080 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
5080 | svchost.exe | GET | 200 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | text | 1.43 Kb | whitelisted |
4300 | svchost.exe | POST | 200 | 20.190.159.2:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | whitelisted |
4300 | svchost.exe | POST | 200 | 20.190.159.2:443 | https://login.live.com/RST2.srf | US | binary | 11.0 Kb | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/FlightSettings/FSService?ProcessorClockSpeed=3094&IsRetailOS=1&OEMManufacturerName=DELL&FlightingPolicyValue=3&EnablePreviewBuilds=4294967295&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&ManagePreviewBuilds=3&BranchReadinessLevelSource=0&AttrDataVer=186&ProcessorCores=6&BranchReadinessLevelRaw=16&TotalPhysicalRAM=6144&TPMVersion=0&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&DeviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&App=FSS&AppVer=10.0&SmartActiveHoursState=1&ActiveHoursStart=20&SecureBootCapable=0&ActiveHoursEnd=13&DeviceFamily=Windows.Desktop | US | text | 87.3 Kb | whitelisted |
4300 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1600 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5080 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5080 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5080 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5080 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4300 | svchost.exe | 20.190.159.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC connection established M1 |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame outbound |
2708 | MegaA.exe | Malware Command and Control Activity Detected | MALWARE [ANY.RUN] Win32/HijackLoader CnC frame inbound |