d53a7858a392b314ef7e63d5d8d2f7fa8b6067dc0b9cc926adf219c0c4c0b768

Analysis

max time kernel
44s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
04/05/2024, 17:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZOD-master/42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593185059178610"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe
Token: SeShutdownPrivilege	1156	chrome.exe
Token: SeCreatePagefilePrivilege	1156	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1128	1156	chrome.exe	85
PID 1156 wrote to memory of 1128	1156	chrome.exe	85
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1992	1156	chrome.exe	86
PID 1156 wrote to memory of 1540	1156	chrome.exe	87
PID 1156 wrote to memory of 1540	1156	chrome.exe	87
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88
PID 1156 wrote to memory of 1840	1156	chrome.exe	88

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ZOD-master\42.zip
1⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca6e7cc40,0x7ffca6e7cc4c,0x7ffca6e7cc58
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4284,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,315939784430456524,14518999521679785684,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2952

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4468

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3724

Network

DNS

browser.pipe.aria.microsoft.com

Remote address:

8.8.8.8:53

Request

browser.pipe.aria.microsoft.com

IN A

Response

browser.pipe.aria.microsoft.com

IN CNAME

browser.events.data.trafficmanager.net

browser.events.data.trafficmanager.net

IN CNAME

onedscolprdcus07.centralus.cloudapp.azure.com

onedscolprdcus07.centralus.cloudapp.azure.com

IN A

52.182.143.209
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

173.222.211.130

a767.dspw65.akamai.net

IN A

173.222.211.107
DNS

ocsp.digicert.com

Remote address:

8.8.8.8:53

Request

ocsp.digicert.com

IN A

Response

ocsp.digicert.com

IN CNAME

ocsp.edge.digicert.com

ocsp.edge.digicert.com

IN CNAME

fp2e7a.wpc.2be4.phicdn.net

fp2e7a.wpc.2be4.phicdn.net

IN CNAME

fp2e7a.wpc.phicdn.net

fp2e7a.wpc.phicdn.net

IN A

192.229.221.95
DNS

r.bing.com

Remote address:

8.8.8.8:53

Request

r.bing.com

IN A

Response

r.bing.com

IN CNAME

p-static.bing.trafficmanager.net

p-static.bing.trafficmanager.net

IN CNAME

r.bing.com.edgekey.net

r.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

23.62.61.194

e86303.dscx.akamaiedge.net

IN A

23.62.61.97
DNS

130.211.222.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.211.222.173.in-addr.arpa

IN PTR

Response

130.211.222.173.in-addr.arpa

IN PTR

a173-222-211-130deploystaticakamaitechnologiescom
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
DNS

clientservices.googleapis.com

Remote address:

8.8.8.8:53

Request

clientservices.googleapis.com

IN A

Response

clientservices.googleapis.com

IN A

142.250.187.195
DNS

www.gstatic.com

Remote address:

8.8.8.8:53

Request

www.gstatic.com

IN A

Response

www.gstatic.com

IN A

142.250.180.3
DNS

202.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.212.58.216.in-addr.arpa

IN PTR

Response

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f101e100net

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f202�I

202.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f10�I
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f14�I
DNS

254.42.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.42.107.13.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

www.googleapis.com

Remote address:

8.8.8.8:53

Request

www.googleapis.com

IN A

Response

www.googleapis.com

IN A

216.58.212.202

www.googleapis.com

IN A

172.217.169.42

www.googleapis.com

IN A

142.250.179.234

www.googleapis.com

IN A

142.250.180.10

www.googleapis.com

IN A

142.250.187.202

www.googleapis.com

IN A

142.250.187.234

www.googleapis.com

IN A

142.250.178.10

www.googleapis.com

IN A

172.217.16.234

www.googleapis.com

IN A

142.250.200.10

www.googleapis.com

IN A

142.250.200.42

www.googleapis.com

IN A

216.58.201.106

www.googleapis.com

IN A

216.58.204.74
DNS

apis.google.com

Remote address:

8.8.8.8:53

Request

apis.google.com

IN A

Response

apis.google.com

IN CNAME

plus.l.google.com

plus.l.google.com

IN A

216.58.201.110
DNS

222.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.197.79.204.in-addr.arpa

IN PTR

Response
DNS

teams-ring.msedge.net

Remote address:

8.8.8.8:53

Request

teams-ring.msedge.net

IN A

Response

teams-ring.msedge.net

IN CNAME

teams-ring.teams-9999.teams-msedge.net

teams-ring.teams-9999.teams-msedge.net

IN CNAME

teams-9999.teams-msedge.net

teams-9999.teams-msedge.net

IN A

52.113.196.254
DNS

254.240.150.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.240.150.4.in-addr.arpa

IN PTR

Response
DNS

209.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.143.182.52.in-addr.arpa

IN PTR

Response
DNS

fp.msedge.net

Remote address:

8.8.8.8:53

Request

fp.msedge.net

IN A

Response

fp.msedge.net

IN CNAME

1.perf.msedge.net

1.perf.msedge.net

IN CNAME

a-0019.a-msedge.net

a-0019.a-msedge.net

IN CNAME

a-0019.a.dns.azurefd.net

a-0019.a.dns.azurefd.net

IN CNAME

a-0019.standard.a-msedge.net

a-0019.standard.a-msedge.net

IN A

204.79.197.222
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.178.4
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

clients2.google.com

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.16.238
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

windowsupdatebg.s.llnwi.net

windowsupdatebg.s.llnwi.net

IN A

87.248.205.0
DNS

4.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.178.250.142.in-addr.arpa

IN PTR

Response

4.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f41e100net
DNS

arm-ring.msedge.net

Remote address:

8.8.8.8:53

Request

arm-ring.msedge.net

IN A

Response

arm-ring.msedge.net

IN CNAME

arm-ring.arm-9999.arm-msedge.net

arm-ring.arm-9999.arm-msedge.net

IN CNAME

arm-9999.arm-msedge.net

arm-9999.arm-msedge.net

IN A

4.150.240.254
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

3.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.180.250.142.in-addr.arpa

IN PTR

Response

3.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f31e100net
DNS

l-ring.msedge.net

Remote address:

8.8.8.8:53

Request

l-ring.msedge.net

IN A

Response

l-ring.msedge.net

IN CNAME

l-ring.l-9999.l-msedge.net

l-ring.l-9999.l-msedge.net

IN CNAME

l-9999.l-msedge.net

l-9999.l-msedge.net

IN A

13.107.42.254
DNS

254.196.113.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.196.113.52.in-addr.arpa

IN PTR

Response
DNS

110.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.201.58.216.in-addr.arpa

IN PTR

Response

110.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f141e100net

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f110�I

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f14�I
DNS

arc.msn.com

Remote address:

8.8.8.8:53

Request

arc.msn.com

IN A

Response

arc.msn.com

IN CNAME

arc.trafficmanager.net

arc.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com

IN A

20.223.36.55
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
GET

https://teams-ring.msedge.net/apc/trans.gif?504a71d249ec44ff05ff2515206be1a9

Remote address:

52.113.196.254:443

Request

GET /apc/trans.gif?504a71d249ec44ff05ff2515206be1a9 HTTP/2.0
host: teams-ring.msedge.net
referer: https://www.bing.com/WS/Init
accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
accept-language: en-US
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.17.1.21325; 10.0.0.0.22000.493) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: no-cache, no-store, must-revalidate
content-length: 43
content-type: image/gif
last-modified: Tue, 26 Mar 2024 19:19:51 GMT
accept-ranges: bytes
etag: 0x0DA2C2C0C44B11E89E6C66FF4F731D7D
access-control-allow-origin: *
access-control-expose-headers: X-EndPoint, X-FrontEnd, X-UserHostAddress, X-MSEdge-Ref, X-MachineName
timing-allow-origin: *
x-content-type-options: nosniff
x-endpoint: LON21r5a
x-frontend: AFD
x-machinename: LON21EDGE0912
x-userhostaddress: 191.101.209.0
x-cache: CONFIG_NOCACHE
x-msedge-ref: Ref A: EA4E0F458D4B4A838EDFE2832F21796C Ref B: LON21EDGE0912 Ref C: 2024-05-04T17:48:27Z
date: Sat, 04 May 2024 17:48:27 GMT
GET

https://teams-ring.msedge.net/apc/trans.gif?a1cb3d661d4464070d2d46f9f36d55bf

Remote address:

52.113.196.254:443

Request

GET /apc/trans.gif?a1cb3d661d4464070d2d46f9f36d55bf HTTP/2.0
host: teams-ring.msedge.net
referer: https://www.bing.com/WS/Init
accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
accept-language: en-US
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.17.1.21325; 10.0.0.0.22000.493) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000

Response

HTTP/2.0 200

cache-control: no-cache, no-store, must-revalidate
content-length: 43
content-type: image/gif
last-modified: Tue, 26 Mar 2024 19:19:51 GMT
accept-ranges: bytes
etag: 0x0DA2C2C0C44B11E89E6C66FF4F731D7D
access-control-allow-origin: *
access-control-expose-headers: X-EndPoint, X-FrontEnd, X-UserHostAddress, X-MSEdge-Ref, X-MachineName
timing-allow-origin: *
x-content-type-options: nosniff
x-endpoint: LON21r5a
x-frontend: AFD
x-machinename: LON21EDGE0912
x-userhostaddress: 191.101.209.0
x-cache: CONFIG_NOCACHE
x-msedge-ref: Ref A: 6613B599ABEB4336921A6F92AC292CC7 Ref B: LON21EDGE0912 Ref C: 2024-05-04T17:48:27Z
date: Sat, 04 May 2024 17:48:27 GMT

184.28.176.56:443

www.bing.com

tls

22.4kB
142.5kB
138
119
184.28.176.56:443

www.bing.com

tls

1.1kB
5.2kB
15
12
52.182.143.209:443

browser.pipe.aria.microsoft.com

tls

3.3kB
7.5kB
20
14
23.62.61.194:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.194:443

r.bing.com

tls

67.3kB
1.8MB
1338
1295
23.62.61.194:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.194:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.194:443

r.bing.com

tls

1.1kB
5.2kB
15
12
23.62.61.194:443

r.bing.com

tls

1.1kB
5.2kB
15
12
142.250.178.4:443

www.google.com

tls

chrome.exe

988 B
4.8kB
7
8
172.217.16.238:443

clients2.google.com

tls

chrome.exe

953 B
8.3kB
8
9
52.113.196.254:443

https://teams-ring.msedge.net/apc/trans.gif?a1cb3d661d4464070d2d46f9f36d55bf

tls, http2

1.9kB
8.2kB
20
18

HTTP Request

GET https://teams-ring.msedge.net/apc/trans.gif?504a71d249ec44ff05ff2515206be1a9

HTTP Response

200

HTTP Request

GET https://teams-ring.msedge.net/apc/trans.gif?a1cb3d661d4464070d2d46f9f36d55bf

HTTP Response

200
4.150.240.254:443

arm-ring.msedge.net

98 B
52 B
2
1

8.8.8.8:53

browser.pipe.aria.microsoft.com

dns

764 B
1.8kB
11
11

DNS Request

browser.pipe.aria.microsoft.com

DNS Response

52.182.143.209

DNS Request

ctldl.windowsupdate.com

DNS Response

173.222.211.130

173.222.211.107

DNS Request

ocsp.digicert.com

DNS Response

192.229.221.95

DNS Request

r.bing.com

DNS Response

23.62.61.194

23.62.61.97

DNS Request

130.211.222.173.in-addr.arpa

DNS Request

194.61.62.23.in-addr.arpa

DNS Request

clientservices.googleapis.com

DNS Response

142.250.187.195

DNS Request

www.gstatic.com

DNS Response

142.250.180.3

DNS Request

202.212.58.216.in-addr.arpa

DNS Request

238.16.217.172.in-addr.arpa

DNS Request

254.42.107.13.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

476 B
1.0kB
7
7

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

www.googleapis.com

DNS Response

216.58.212.202

172.217.169.42

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

142.250.178.10

172.217.16.234

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74

DNS Request

apis.google.com

DNS Response

216.58.201.110

DNS Request

222.197.79.204.in-addr.arpa

DNS Request

teams-ring.msedge.net

DNS Response

52.113.196.254

DNS Request

254.240.150.4.in-addr.arpa
8.8.8.8:53

209.143.182.52.in-addr.arpa

dns

400 B
852 B
6
6

DNS Request

209.143.182.52.in-addr.arpa

DNS Request

fp.msedge.net

DNS Response

204.79.197.222

DNS Request

www.google.com

DNS Response

142.250.178.4

DNS Request

195.187.250.142.in-addr.arpa

DNS Request

clients2.google.com

DNS Response

172.217.16.238

DNS Request

ctldl.windowsupdate.com

DNS Response

87.248.205.0
142.250.178.4:443

www.google.com

https

chrome.exe

3.9kB
46.7kB
34
50
216.58.201.110:443

apis.google.com

https

chrome.exe

4.6kB
51.0kB
27
44
8.8.8.8:53

4.178.250.142.in-addr.arpa

dns

208 B
405 B
3
3

DNS Request

4.178.250.142.in-addr.arpa

DNS Request

arm-ring.msedge.net

DNS Response

4.150.240.254

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

3.180.250.142.in-addr.arpa

dns

208 B
399 B
3
3

DNS Request

3.180.250.142.in-addr.arpa

DNS Request

l-ring.msedge.net

DNS Response

13.107.42.254

DNS Request

254.196.113.52.in-addr.arpa
8.8.8.8:53

110.201.58.216.in-addr.arpa

dns

201 B
466 B
3
3

DNS Request

110.201.58.216.in-addr.arpa

DNS Request

arc.msn.com

DNS Response

20.223.36.55

DNS Request

0.205.248.87.in-addr.arpa
172.217.16.238:443

clients2.google.com

https

chrome.exe

2.5kB
8.2kB
11
12
224.0.0.251:5353

chrome.exe

204 B
3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
421a4e155cbeb65e805e6fbcf949e5a1

SHA1
490ad079550fac09620b7e0b1c88a3f9b1c80a99

SHA256
d79ad3dd5ad18ef128f716333dfc21c68c8148aaf820f1bcb03b3b0c0b5ea4ac

SHA512
0f2bdf5dcfcfa0b5bde7ed196dfde6ea89be01fa87b875565e87d199df7d7ecb985880761452725aca77b2a73bcdf73bc296ea0cba766a633be5b6f724c708de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
86d962aa79b76fd8ed0ed0d5b5146acf

SHA1
ee5dbee80c7de1adbeec33afda8830e40ee1e029

SHA256
a8fd096e191f93a3993f9e40844802fc0433862bb77714928e4de259f0ac2dca

SHA512
92b448305a912b0488755966b26245924d345180e08369c7fba13f2f70c68516fa65167cb762beca5889c864773c4cae0933b1b11ded44373d9b53a810fff755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
99b426bc9474abdab12b48687046f459

SHA1
86f736476e820b90bac6227d212629c08142d9e3

SHA256
680b68d1f1d227354707e1195f1fe676d591a9ed0e4e0b71d7cea50b35f63c4e

SHA512
abd0e705ce4979fa94857c75837d3e221587e3923a013a50fcd2086430a248fff2001aa6e1da6936bbad9a71e1e65e0c86ddaaeac1414082da7b1184421842ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8ac85cf60ac6e3b7675374ca286e613b

SHA1
8b5b06a51455dfd53e3fba69472cf9f78b288926

SHA256
ebcbbe21d1df64728a0af0306cbbfd2bc2678eca64cc0f1cbfa2b2cd3226927d

SHA512
043e12f4c90c465c26b578f6c4e62ae6f7ba8ae016984ca26fe848d9a17df145d2ba4e72b0c73dbe55e456e89faf9f8cff49f227c961ae45ef9931c37123d12f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
c7b6bd552cffbe7f3e15d10a93de6d53

SHA1
76d8c8177aa5e25274e14281ee36166994849a29

SHA256
be7a81d4be08f77ef5c2697bfe568d40cbdd419fa151d5ef20ff40165641499e

SHA512
d702f2ace97f1d90f8cf1e90e15a11b3e5f6edbb58d2a9886f012468f3c3a7c1a31d11c0379396952187fd9779113da3e02cf4cf9b0e11b006a3196051c97115

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.