hxxp://netid[.]today/gov[.]utah[.]edu/continue[.]php

Analysis

max time kernel
599s
max time network
490s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
17/11/2023, 21:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://netid.today/gov.utah.edu/continue.php

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133447303399651572"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe
Token: SeShutdownPrivilege	1232	chrome.exe
Token: SeCreatePagefilePrivilege	1232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe
1232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 4188	1232	chrome.exe	60
PID 1232 wrote to memory of 4188	1232	chrome.exe	60
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4772	1232	chrome.exe	73
PID 1232 wrote to memory of 4560	1232	chrome.exe	74
PID 1232 wrote to memory of 4560	1232	chrome.exe	74
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75
PID 1232 wrote to memory of 524	1232	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://netid.today/gov.utah.edu/continue.php
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd621d9758,0x7ffd621d9768,0x7ffd621d9778
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:2
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:8
  2⤵
  PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2712 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2692 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1832,i,12971212719931726660,3518660140931567090,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3680

Network

DNS

netid.today

chrome.exe

Remote address:

8.8.8.8:53

Request

netid.today

IN A

Response

netid.today

IN A

72.167.204.141
GET

http://netid.today/gov.utah.edu/fHead.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/fHead.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 17 Nov 2023 20:51:20 GMT
ETag: "6415c5-1f6e-60a5f4c6f6e78"
Accept-Ranges: bytes
Content-Length: 8046
Keep-Alive: timeout=5
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/l1.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/l1.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:21 GMT
ETag: "6415cf-a5-60a5f4c7e530b"
Accept-Ranges: bytes
Content-Length: 165
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/continue.php

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/continue.php HTTP/1.1
Host: netid.today
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:17 GMT
Server: Apache
X-Powered-By: PHP/7.4.33
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1547
Keep-Alive: timeout=5
Content-Type: text/html; charset=UTF-8
GET

http://netid.today/gov.utah.edu/hea.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/hea.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:21 GMT
ETag: "6415c8-e11-60a5f4c75042f"
Accept-Ranges: bytes
Content-Length: 3601
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/socials.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/socials.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:24 GMT
ETag: "6415e4-f33-60a5f4ca98daa"
Accept-Ranges: bytes
Content-Length: 3891
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/tom2.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/tom2.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:25 GMT
ETag: "64160d-3f05-60a5f4cb23875"
Accept-Ranges: bytes
Content-Length: 16133
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/lo.png

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/lo.png HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:23 GMT
ETag: "6415d1-791f-60a5f4c939876"
Accept-Ranges: bytes
Content-Length: 31007
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/lsnameline.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/lsnameline.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 17 Nov 2023 20:51:23 GMT
ETag: "6415d7-e30-60a5f4c9b4940"
Accept-Ranges: bytes
Content-Length: 3632
Keep-Alive: timeout=5
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/emails.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/emails.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:20 GMT
ETag: "6415c0-81b-60a5f4c65f4a3"
Accept-Ranges: bytes
Content-Length: 2075
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/coz.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/coz.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 17 Nov 2023 20:51:19 GMT
ETag: "6415bc-b2d-60a5f4c5840c2"
Accept-Ranges: bytes
Content-Length: 2861
Keep-Alive: timeout=5
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/tom1.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/tom1.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:25 GMT
ETag: "64160e-8b32-60a5f4cb23875"
Accept-Ranges: bytes
Content-Length: 35634
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/dobs.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/dobs.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 17 Nov 2023 20:51:19 GMT
ETag: "6415be-cf6-60a5f4c5f1e9b"
Accept-Ranges: bytes
Content-Length: 3318
Keep-Alive: timeout=5
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/sides.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/sides.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:24 GMT
ETag: "6415e0-14d-60a5f4ca887f1"
Accept-Ranges: bytes
Content-Length: 333
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/inbt.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/inbt.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Last-Modified: Fri, 17 Nov 2023 20:51:21 GMT
ETag: "6415cc-a2-60a5f4c7dce3a"
Accept-Ranges: bytes
Content-Length: 162
Keep-Alive: timeout=5
Content-Type: image/png
GET

http://netid.today/gov.utah.edu/phnbr.PNG

chrome.exe

Remote address:

72.167.204.141:80

Request

GET /gov.utah.edu/phnbr.PNG HTTP/1.1
Host: netid.today
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://netid.today/gov.utah.edu/continue.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Fri, 17 Nov 2023 21:32:18 GMT
Server: Apache
Last-Modified: Fri, 17 Nov 2023 20:51:24 GMT
ETag: "6415dc-733-60a5f4ca27539"
Accept-Ranges: bytes
Content-Length: 1843
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: image/png
DNS

content-autofill.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

content-autofill.googleapis.com

IN A

Response

content-autofill.googleapis.com

IN A

216.58.214.10

content-autofill.googleapis.com

IN A

142.250.179.138

content-autofill.googleapis.com

IN A

142.251.36.42

content-autofill.googleapis.com

IN A

142.250.179.170

content-autofill.googleapis.com

IN A

142.250.179.202

content-autofill.googleapis.com

IN A

142.251.36.10

content-autofill.googleapis.com

IN A

142.251.39.106

content-autofill.googleapis.com

IN A

172.217.23.202
GET

https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSZAkrs7i3t5irlxIFDX99I4kSBQ26EHJMEgUNH_Z92BIFDai2VMwSBQ0MezKgEgUNbe4B1BIFDRmDxswSBQ1ngaaBEgUNitbaZxIFDeNt8eESBQ2N0nXfEgUN7huUKRIFDY24CDI=?alt=proto

chrome.exe

Remote address:

216.58.214.10:443

Request

GET /v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSZAkrs7i3t5irlxIFDX99I4kSBQ26EHJMEgUNH_Z92BIFDai2VMwSBQ0MezKgEgUNbe4B1BIFDRmDxswSBQ1ngaaBEgUNitbaZxIFDeNt8eESBQ2N0nXfEgUN7huUKRIFDY24CDI=?alt=proto HTTP/2.0
host: content-autofill.googleapis.com
x-goog-encode-response-if-executable: base64
x-goog-api-key: AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
x-client-data: CJj2ygE=
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

Remote address:

8.8.8.8:53

Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

IN PTR

Response
DNS

141.204.167.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.204.167.72.in-addr.arpa

IN PTR

Response

141.204.167.72.in-addr.arpa

IN PTR

14120416772hostsecureservernet
DNS

10.214.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.214.58.216.in-addr.arpa

IN PTR

Response

10.214.58.216.in-addr.arpa

IN PTR

lhr26s05-in-f101e100net

10.214.58.216.in-addr.arpa

IN PTR

ams17s09-in-f10�H

10.214.58.216.in-addr.arpa

IN PTR

�8
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

252.15.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.15.104.51.in-addr.arpa

IN PTR

Response
DNS

169.255.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.255.221.88.in-addr.arpa

IN PTR

Response

169.255.221.88.in-addr.arpa

IN PTR

a88-221-255-169deploystaticakamaitechnologiescom

72.167.204.141:80

http://netid.today/gov.utah.edu/l1.PNG

http

chrome.exe

1.3kB
9.3kB
11
12

HTTP Request

GET http://netid.today/gov.utah.edu/fHead.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/l1.PNG

HTTP Response

200
72.167.204.141:80

http://netid.today/gov.utah.edu/lo.png

http

chrome.exe

3.7kB
60.9kB
35
50

HTTP Request

GET http://netid.today/gov.utah.edu/continue.php

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/hea.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/socials.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/tom2.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/lo.png

HTTP Response

200
72.167.204.141:80

http://netid.today/gov.utah.edu/emails.PNG

http

chrome.exe

1.2kB
6.6kB
9
9

HTTP Request

GET http://netid.today/gov.utah.edu/lsnameline.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/emails.PNG

HTTP Response

200
72.167.204.141:80

http://netid.today/gov.utah.edu/tom1.PNG

http

chrome.exe

2.0kB
41.8kB
25
35

HTTP Request

GET http://netid.today/gov.utah.edu/coz.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/tom1.PNG

HTTP Response

200
72.167.204.141:80

http://netid.today/gov.utah.edu/sides.PNG

http

chrome.exe

1.2kB
4.5kB
9
8

HTTP Request

GET http://netid.today/gov.utah.edu/dobs.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/sides.PNG

HTTP Response

200
72.167.204.141:80

http://netid.today/gov.utah.edu/phnbr.PNG

http

chrome.exe

1.1kB
2.9kB
7
7

HTTP Request

GET http://netid.today/gov.utah.edu/inbt.PNG

HTTP Response

200

HTTP Request

GET http://netid.today/gov.utah.edu/phnbr.PNG

HTTP Response

200
216.58.214.10:443

https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSZAkrs7i3t5irlxIFDX99I4kSBQ26EHJMEgUNH_Z92BIFDai2VMwSBQ0MezKgEgUNbe4B1BIFDRmDxswSBQ1ngaaBEgUNitbaZxIFDeNt8eESBQ2N0nXfEgUN7huUKRIFDY24CDI=?alt=proto

tls, http2

chrome.exe

2.0kB
7.3kB
18
20

HTTP Request

GET https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTA2LjAuNTI0OS4xMTkSZAkrs7i3t5irlxIFDX99I4kSBQ26EHJMEgUNH_Z92BIFDai2VMwSBQ0MezKgEgUNbe4B1BIFDRmDxswSBQ1ngaaBEgUNitbaZxIFDeNt8eESBQ2N0nXfEgUN7huUKRIFDY24CDI=?alt=proto

8.8.8.8:53

netid.today

dns

chrome.exe

57 B
73 B
1
1

DNS Request

netid.today

DNS Response

72.167.204.141
8.8.8.8:53

content-autofill.googleapis.com

dns

chrome.exe

77 B
205 B
1
1

DNS Request

content-autofill.googleapis.com

DNS Response

216.58.214.10

142.250.179.138

142.251.36.42

142.250.179.170

142.250.179.202

142.251.36.10

142.251.39.106

172.217.23.202
8.8.8.8:53

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

dns

118 B
182 B
1
1

DNS Request

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
8.8.8.8:53

141.204.167.72.in-addr.arpa

dns

73 B
123 B
1
1

DNS Request

141.204.167.72.in-addr.arpa
8.8.8.8:53

10.214.58.216.in-addr.arpa

dns

72 B
155 B
1
1

DNS Request

10.214.58.216.in-addr.arpa
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

252.15.104.51.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

252.15.104.51.in-addr.arpa
8.8.8.8:53

169.255.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

169.255.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c6bfc1e4b00ad5407d4b92355f9de004

SHA1
a57301d7a1fc5430281e32daf54e2d4f44ec6590

SHA256
90bf7be36053ba0d0cf973318b613068987e816afd335ea59ed0a81eb641a8c7

SHA512
d58bacaa7a8135032b0d19a4efbd1064b18f452c06347eaa200e910c049ef452a825f873cbf0caedbd6a049be7ccacb056d79c2634e36329dfd741b1c7169cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
73b25967436293075a9401222eb89cc8

SHA1
dfe99e8ed0ac1402fdd5e208bdda328a834e7715

SHA256
5cb5ff60f9ee50c1dcd984baeb1bc4cdefbaf52111427350c963bca3f53beb3e

SHA512
d3fcc219a473dd41c54a8e8f9bfa3f0efcbe31d05d8d84c3f069b7b6e9ac65a23ed0641414dd107f8e56518f846e0b93763adc389237deba1daa88dc31e38216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2038c3ef00d80f5bc320aaa50d68ac5f

SHA1
79193582be8bb51aa0d49feb5d8438adaf84793b

SHA256
2345b66255bbecd4f453eefd7fd01445159779b587e3a7ef2cebdef328e83d3f

SHA512
98ec0074f2ddbb837fc9164db960a04025952361219f8ac38f8b1ea093bceb53de94fd685090e671c8a2af7f80d6bb48d55a847dad57d80c84537694c3e866ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
eef430254294e8c40c23588fe50d8372

SHA1
8447e5185387936b5b3adb65f8f0d08fc00fb781

SHA256
ee4d86c36d193acc9fb00d63c2e088aa61f697c13f4925cd44adbcce6fcb4ab5

SHA512
67161e5528e1cc1dc74647f2fb7bbe8326ccca39bc28e5747ad63c000adc3177446a7d59309f0ae61076000c485a766ebc73c764a9bbd9528c83cb3376f04fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
c5cbb3726473ad245ca8c67139bc355a

SHA1
26f3e9115e26d5139c9ce14902d350f5e10e4365

SHA256
6e7e5b1285a8e30f96730435e676d539d7d08880286e2a6a9ba55666ee593e01

SHA512
7b31657af3a57d80f89ba99423b9a7aab8b493f4c5b6df035cdd77340de51be07dbc8467badf32c3960a37bcbad1a58d850c3c66d0957ba2390ab3983ba093d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.