General Info

File name

psiphon3.exe

Full analysis
https://app.any.run/tasks/ecbf1831-64f1-41e8-83ad-8a8e219face7
Verdict
Malicious activity
Analysis date
8/13/2019, 17:07:29
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

16b965cb5539f58b273cb327c88524d8

SHA1

54ccc518f4c032909211229ded7a7b63f19b28e0

SHA256

7d364bb999bd7cf126f5ae35c7cc80de32a112bafb8cfa7d4f0533348949b994

SSDEEP

98304:T5XQQR6sdk08XmikVoyr3ob7qMK+Mg7kgFbMQptxiBmiKj8uuYZT+hBJ:T5XQQR6ok8ikgb6XqbXxamisuY9CBJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • psiphon-tunnel-core.exe (PID: 2952)
Executed via COM
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3460)
Creates files in the user directory
  • psiphon3.exe (PID: 3724)
  • psiphon-tunnel-core.exe (PID: 2952)
Reads Internet Cache Settings
  • rundll32.exe (PID: 3840)
  • psiphon3.exe (PID: 3724)
Starts Internet Explorer
  • psiphon3.exe (PID: 3724)
Uses RUNDLL32.EXE to load library
  • psiphon3.exe (PID: 3724)
Executable content was dropped or overwritten
  • psiphon3.exe (PID: 3724)
Reads internet explorer settings
  • psiphon3.exe (PID: 3724)
Creates files in the user directory
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3460)
  • iexplore.exe (PID: 2308)
  • iexplore.exe (PID: 2260)
Reads settings of System Certificates
  • iexplore.exe (PID: 2308)
Reads internet explorer settings
  • iexplore.exe (PID: 2260)
Changes internet zones settings
  • iexplore.exe (PID: 2308)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   UPX compressed Win32 Executable (43.5%)
.exe
|   Win32 EXE Yoda's Crypter (42.7%)
.exe
|   Win32 Executable (generic) (7.2%)
.exe
|   Generic Win/DOS Executable (3.2%)
.exe
|   DOS Executable Generic (3.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:08:09 02:59:44+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
6209536
InitializedDataSize:
90112
UninitializedDataSize:
11902976
EntryPoint:
0x11467e0
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Aug-2019 00:59:44
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000120
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
09-Aug-2019 00:59:44
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x00B5A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x00B5B000 0x005EC000 0x005EBC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.9305
.rsrc 0x01147000 0x00016000 0x00015C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.48738
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

131

132

133

146

147

COUNTRY_DIALING_CODES.JSON

BANNER.PNG

FLAGS32.PNG

FLAG_UNKNOWN_32.PNG

FLAG_UNKNOWN_64.PNG

ICOMOON.EOT

LOGO-BW.PNG

LOGO.PNG

MAIN.HTML

Imports
    KERNEL32.DLL

    ADVAPI32.dll

    COMCTL32.dll

    CRYPT32.dll

    GDI32.dll

    ole32.dll

    OLEAUT32.dll

    RASAPI32.dll

    SHELL32.dll

    SHLWAPI.dll

    USER32.dll

    VERSION.dll

    WINHTTP.dll

    WININET.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

+
drop and start start psiphon3.exe psiphon-tunnel-core.exe rundll32.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3724
CMD
"C:\Users\admin\AppData\Local\Temp\psiphon3.exe"
Path
C:\Users\admin\AppData\Local\Temp\psiphon3.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\vgx\vgx.dll
c:\windows\system32\atl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\windows\system32\d3dim700.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\propsys.dll
c:\program files\internet explorer\iexplore.exe

PID
2952
CMD
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat"
Path
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\psiphon-tunnel-core.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3840
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

PID
2308
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=SE&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
psiphon3.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2260
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2308 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\feclient.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\t2embed.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll

PID
3460
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

Registry activity

Total events
665
Read events
539
Write events
124
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipBrowser
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipProxySettings
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
SkipAutoConnect
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableFileTracing
0
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
EnableConsoleTracing
0
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileTracingMask
4294901760
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
ConsoleTracingMask
4294901760
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
MaxFileSize
1048576
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASAPI32
FileDirectory
%windir%\tracing
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
NativeProxyInfo
{"proxies":[{"bypass":"","flags":1,"name":"","proxy":""}]}
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableFileTracing
0
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
EnableConsoleTracing
0
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileTracingMask
4294901760
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
ConsoleTracingMask
4294901760
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
MaxFileSize
1048576
3724
psiphon3.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\psiphon3_RASMANCS
FileDirectory
%windir%\tracing
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePrefix
DOMStore
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheLimit
1000
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheOptions
8
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheRepair
0
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en"}
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
UICookies
{"language":"en","AvailableEgressRegions":["AT","BE","BG","CA","CH","CZ","DE","DK","ES","GB","HU","IN","IT","JP","NL","NO","PL","RO","SE","SG","SK","US"]}
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Psiphon3
PsiphonProxyInfo
{"proxies":[{"bypass":"<local>","flags":2,"name":"","proxy":"http=127.0.0.1:49555;https=127.0.0.1:49555;socks=127.0.0.1:49554"}]}
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
46000000080000000200000040000000687474703D3132372E302E302E313A34393535353B68747470733D3132372E302E302E313A34393535353B736F636B733D3132372E302E302E313A3439353534070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49555;https=127.0.0.1:49555;socks=127.0.0.1:49554
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000930000000200000040000000687474703D3132372E302E302E313A34393535353B68747470733D3132372E302E302E313A34393535353B736F636B733D3132372E302E302E313A3439353534070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000940000000200000040000000687474703D3132372E302E302E313A34393535353B68747470733D3132372E302E302E313A34393535353B736F636B733D3132372E302E302E313A3439353534070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3724
psiphon3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000950000000200000040000000687474703D3132372E302E302E313A34393535353B68747470733D3132372E302E302E313A34393535353B736F636B733D3132372E302E302E313A3439353534070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=127.0.0.1:49555;https=127.0.0.1:49555;socks=127.0.0.1:49554
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyOverride
<local>
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
46000000960000000200000040000000687474703D3132372E302E302E313A34393535353B68747470733D3132372E302E302E313A34393535353B736F636B733D3132372E302E302E313A3439353534070000003C6C6F63616C3E000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{27E39546-BDDC-11E9-9885-5254004A04AF}
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000F0008000800FD01
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000F00080008001D02
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000F0008000800FA02
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
10
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000F00080008002903
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
84
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000F00080009004B00
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
29
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F0008000B004D01
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2308
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
64DABCECE851D501
2308
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
2
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F0008000C007602
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
3
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000F0008000D007100
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2308
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814
2260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
2260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
2260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
2260
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2260
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829

Files activity

Executable files
1
Suspicious files
0
Text files
44
Unknown types
12

Dropped files

PID
Process
Filename
Type
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe
executable
MD5: a33148c5ff0767f91bfbaf81418fc81f
SHA256: ad17faa17e65e4f0ed96b557754e005b78b18528d54a166d2275e5b39115aacd
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\main[1]
html
MD5: 29fa264cb54df50df777f2f4f6154a1c
SHA256: 8caaaae2aa224ffec4f598a7ad44236b3f65bc4089c3cc0492c31d5a448d3da0
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 85efce884897dd1fc6141714d65f66b4
SHA256: 2dc080beb3b709ce160d3c19dc1f558b94449de6c96e1f5e7ed28cd966552ab3
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\js[1]
text
MD5: 0743ac4ebfb71a960d4c27e982841e18
SHA256: 331ce745672b322a52391b0cbd1e10dbf29bfb57bb6a777a960b3e2ce7b8f6cc
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2308
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: d7b3aaffe64f504bc46a18366fe2796a
SHA256: eea861032c19a4b6b95d39c2ed20e83f6af82ff6632e9cce9e666e3f00458f40
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\psiphon1[1].txt
––
MD5:  ––
SHA256:  ––
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\psiphon1[2].htm
html
MD5: 493b05b1fac62698b139890b7343b479
SHA256: 636780cedceec3d59fb2132089ac6c8953a02dd60e5122fce23857f98df5af45
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: 38a557c90e5f5d26a0a17bcbe5e815cd
SHA256: 750c8b92e8b87a4957a1d7c39a6122e16853ec1f1e6573e3b3514b36c4375d1d
2308
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: e36b72d973704aa81add39ff536797c1
SHA256: 0b9ddb9c2df6323302f4ca786ba31339c43c52ad1c6f5f452cd06146f87f4d74
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 5b3b715f64a11230b16dd1e1000d8b09
SHA256: 47820b5aa1ba2e73bd4d9fb3326845ac968301f5f78a638312eae0efbccd1d12
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\js[1]
text
MD5: 0743ac4ebfb71a960d4c27e982841e18
SHA256: 331ce745672b322a52391b0cbd1e10dbf29bfb57bb6a777a960b3e2ce7b8f6cc
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: 94255ba5d1ddc5eb539c160aa1578da4
SHA256: 7e3dfc16eb661f805a394907ac93d450c732a75960bf20c2b624b8b48534e10b
3460
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\firebase.notifications[1].js
text
MD5: 24cea24bd6c941d1c006a55c4737b02b
SHA256: 171c4a3b766b16431c79c89449ddead0280392e61e75675252d797703808238c
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\p_icon[1].png
image
MD5: 902d20d8dc9829aff0f8b7db8c8a6da6
SHA256: 4b68751c69ccabff708fa7d42300db5e2539046d79886f119e94495385e9c27c
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\1Ptug8zYS_SKggPNyC0ISw[1].eot
eot
MD5: e18be132ed71498dc498dcc99fe144b2
SHA256: 07c1c301fe55759d09cd30a4a0276dea43c3c7286a1448d03aacd16dd57d6214
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\NGS3v5_NC0k9P9l1aqRMkKo[1].eot
eot
MD5: 65b6c9c9b81c4e91ae05652251daad4f
SHA256: cdb425d2e610ddc90b222e2eb6a4a838bc9414a65304653eb3399e097f49ca0a
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\analytics[1].js
text
MD5: a477b40dcc869e74d6414e8e42e36844
SHA256: cec3748d0c3da4700300d5424aaea375b03550b0ee8b3dd38e242c4022261446
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\firebase.notifications.init[1].js
text
MD5: 0424f6b44d04e5b838bf3585c78a7f61
SHA256: 3c056e894c4aeff9c40877c1d7a92b746dd87153acb51a44735e13d158e6aa3b
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\eye-slash-solid[1].svg
image
MD5: 840854d88ac97a13506c47ef3222cf09
SHA256: 1b9451f35241c667692568e5d5c004a81177cbdec4a30861a7c5103eb5080bbe
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\sky_content_light[1].png
image
MD5: 6002338e17c7a484fbdcf5b941a12214
SHA256: ec6c69329662f458ee7d24892e0a1d2540f16cb375ce5ad972e6a58b5ecd1e8b
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\OpenSans-Regular[1].ttf
ttf
MD5: 629a55a7e793da068dc580d184cc0e31
SHA256: e64e508b2aa2880f907e470c4550980ec4c0694d103a43f36150ac3f93189bee
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: f8b13f3df3a974bc24b6a4ce7088f841
SHA256: 831e2a6fa013dc7fa3d5cdd90c52f7751891fcb80e34bb0f1373a0c85b53161f
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
gmc
MD5: ce338fe6899778aacfc28414f2d9498b
SHA256: 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\f[1].txt
text
MD5: 0eaf6b9813845f03c6227ca78f043d07
SHA256: 433708592d444e9cf81326795e0d23ffdfedc716fb428fbfd45d696880394107
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\app[1].js
text
MD5: 72bfa1f7be392f89e3c24711b6a31f1b
SHA256: 7606b8dd0a5f8d229a765fbcc396f047b2111050f7977ba3e580f30d23b8da1d
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\gtm[1].js
text
MD5: ecb1cb08c0960cbff80f79f1eb7691b7
SHA256: 9b4e2bef5a32d1e914922371e278cc224d894f6625e6d3eafe9c485b42db1695
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\location_concealment[1].js
text
MD5: 0c5a90b68bd54a7c580a543f40a1e4d9
SHA256: 8d4e4f70dbee652f6a6205322477837341d4a750c03327594af9fe40921840c7
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\wow[1].js
text
MD5: 164b265e6089f412b7927848018ae6a1
SHA256: 81c4cb0bc57b5cce1816bd704f7a2b12ec2b143c6a067402644d4a139b273350
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\f[1].txt
––
MD5:  ––
SHA256:  ––
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\style-black-footer[1].css
text
MD5: 5cf5ea6d4374871d8a6ed1d2722e215c
SHA256: dbd74fdd3154a60bd1e189eb52675a7288764f84cbab7fb922716d72707ce222
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\css[1].txt
text
MD5: 3a8d3cea05b9104d51a32cddfe536f0a
SHA256: 4a2a7be112c9ce57d829b70dd9259bbf3792b1c7fd4a62adaab0bbf092d4a660
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\js[1]
text
MD5: 9918e0d1d18422f0d3d424db83ba8da1
SHA256: de8ab9abafd885126cf43fdcd5f93cd1d7332fca5b6ad5c40f91b773cd62ba1c
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\psyphon[1].css
text
MD5: ee52a295a064efc16fc107e2b9494058
SHA256: 9720bbfd656c447a71f3cc16268cc3b4211c3dcac6f282fc6c11d407c8831b63
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\animate[1].css
text
MD5: e32406757509a6ac508ef9180712829f
SHA256: b75f6d25cc96d0dc468811273d2107eddb498b79f0b4e66125b459ddf9600ffd
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\app[1].css
text
MD5: 88c53847778dc60bef90e07f6a065c76
SHA256: d19ce95b781d933897fa2295294b59d24c5835dfa3bf5580bce2e417a91481a3
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\psiphon1[1].htm
html
MD5: 493b05b1fac62698b139890b7343b479
SHA256: 636780cedceec3d59fb2132089ac6c8953a02dd60e5122fce23857f98df5af45
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: c1a1600d6c746c351cd7831ce6f44ea4
SHA256: 9e202a16f7ef5fa2c83f25ef184e2c2f92ab1dd4eede527ee1bcb3ec5dc37b64
2260
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: e2e7ea4368645b540b3324cd050fae86
SHA256: 5c31b17f6dee1a44acc3866808d53fe97ff8b0dd3ee08a01e267a87d209b923d
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: b25affd3769b9a008f53f3cd4b5337f0
SHA256: d73823ccebaf7cf731c5a8a272e4eab026fb48e507f2a20ad603bb980b44f294
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 277070db40983278d04fb4453ae9f1cb
SHA256: 0370f49ccae67d45347b6d5f38354c5de68c678f1aa3f1d1185a0f88dd478c86
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2308
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2308
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2308
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3840
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BU1P38S\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3840
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\532COD54\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3840
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3840
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCVUBYU7\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\logo[1]
image
MD5: 42b90e10a6a86254d31b696c5d2ec425
SHA256: 4b384b1c9bbeefda045465fc5aede6cce7a0312625bef497fb6c8d5e8c715389
3840
rundll32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: e794dd27a837f3d2213c647c0817c1cb
SHA256: fc2514df7505402dddd4be9a0a7152e68280cb8b2eeb82489886379b0729040e
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: c1b64acdb18a2161715f1d14d025b719
SHA256: 781cee3d3ac37acd028fd54e37d0b0a0025dbd70377ab4218a21a87f0f84e455
3724
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat
text
MD5: 72dcad760a5687fbfd219ddb0600e752
SHA256: 6fcdc2a54cb8f79a48e3cf1941f1c6049f7e5080781f0f0ead339b979e46da4b
3724
psiphon3.exe
C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config
text
MD5: c122c17b48f04d3e6a28a6b218a451e5
SHA256: 920c1c27f9d670b7d89dacc8f23f0f9ecbf4833f3291157c743a2e880b1847ec
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\flag_unknown_32[1]
image
MD5: 0e23864908aa82dcfa6cf76bd308a498
SHA256: 2bf319d0025d275df9da396e238377460d9b562bb2f11bb0d9dab23981e79cfd
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\banner[1]
image
MD5: 08b36b5183a2f59ea4b945e69d1dc56f
SHA256: f1f61a3fde6beaf0f24ac19a729d6e596ab305bdfe2e0f75a69c5157f2495101
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\flags32[1]
image
MD5: 3e6527267c26712bd0cea85727fb07f5
SHA256: bed94eb6c145a484b67f6a8281183cb8fba27e2bd91e1e9c95dd2b843fe87784
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\logo-bw[1]
image
MD5: e3c5eb232471c89b49fa8b3e2ee8f1c2
SHA256: a3d3a9bdd3ce2a712438b0222fa66cf0b998f728fec3a9586b8dac00de4a41dd
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Temp\datD7CB.tmp
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
3724
psiphon3.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\icomoon[1]
eot
MD5: 9ba3a958e8254c41e8ace685e35e8cf1
SHA256: edb2df32f1f406895db11c56998e1390924cff7137ec67b83a935019eaf7a928
2260
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
42
Threats
2

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2952 psiphon-tunnel-core.exe 2.16.106.74:443 Akamai International B.V. –– unknown
2952 psiphon-tunnel-core.exe 178.62.40.168:53 Digital Ocean, Inc. GB unknown
2952 psiphon-tunnel-core.exe 104.18.151.190:443 Cloudflare Inc US unknown
2952 psiphon-tunnel-core.exe 185.217.69.100:22 M247 Ltd US unknown
–– –– 213.108.110.57:22 Greenhost BV NL unknown
2952 psiphon-tunnel-core.exe 37.46.114.17:53 AltusHost B.V. BG unknown
2952 psiphon-tunnel-core.exe 212.227.200.149:443 1&1 Internet SE DE unknown
2952 psiphon-tunnel-core.exe 195.206.104.236:53 –– unknown
2952 psiphon-tunnel-core.exe 139.59.25.93:80 Digital Ocean, Inc. IN unknown
2952 psiphon-tunnel-core.exe 2.16.186.115:443 Akamai International B.V. –– whitelisted
2952 psiphon-tunnel-core.exe 2.16.186.107:443 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
a408.b.akamai.net 2.16.106.74
2.16.106.113
unknown
a1300.gd.akamai.net 2.16.186.107
2.16.186.51
unknown
No response unknown
a852.gd.akamai.net 2.16.186.115
2.16.186.105
unknown

Threats

PID Process Class Message
2952 psiphon-tunnel-core.exe Potential Corporate Privacy Violation ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
2952 psiphon-tunnel-core.exe Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction

Debug output strings

Process Message
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe
psiphon3.exe