Analysis Overview
Threat Level: Known bad
The file https://oxy.name/d/AeSh was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 15:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 15:31
Reported
2024-05-27 15:33
Platform
win10-20240404-en
Max time kernel
97s
Max time network
98s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WizClient.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612974937612098" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.name/d/AeSh
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xb0,0xa8,0xd4,0xac,0xd8,0x7ff8b3629758,0x7ff8b3629768,0x7ff8b3629778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1852 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4348 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5224 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4580 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3164 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5444 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3732 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1984 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=2144,i,15321002175181551605,4234374306088264062,131072 /prefetch:8
C:\Users\Admin\Desktop\WizClient.exe
"C:\Users\Admin\Desktop\WizClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\WizClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WizClient.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\Admin\AppData\Roaming\WizClient.exe"
C:\Users\Admin\Desktop\WizClient.exe
"C:\Users\Admin\Desktop\WizClient.exe"
C:\Users\Admin\AppData\Roaming\WizClient.exe
C:\Users\Admin\AppData\Roaming\WizClient.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 172.67.218.114:443 | oxy.name | tcp |
| US | 172.67.218.114:443 | oxy.name | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| BE | 2.21.16.25:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 8.8.8.8:53 | 114.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.16.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| SE | 104.73.92.22:443 | lg3.media.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| IE | 52.30.83.4:443 | adtrack.adleadevent.com | tcp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| DE | 91.228.74.166:443 | secure.quantserve.com | tcp |
| DE | 51.75.86.98:443 | onetag-sys.com | tcp |
| BE | 88.221.83.138:443 | ced.sascdn.com | tcp |
| RU | 88.212.201.204:443 | counter.yadro.ru | tcp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| IE | 54.76.45.34:443 | p.cpx.to | tcp |
| DE | 178.63.248.57:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| FR | 216.58.214.170:443 | content-autofill.googleapis.com | tcp |
| FR | 216.58.214.170:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| US | 8.8.8.8:53 | 227.63.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.92.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.192.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.83.30.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.86.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.74.228.91.in-addr.arpa | udp |
| FR | 52.222.144.58:443 | rules.quantcount.com | tcp |
| US | 8.8.8.8:53 | 34.45.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.248.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.97.161.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.214.58.216.in-addr.arpa | udp |
| US | 104.22.52.86:443 | cdn.id5-sync.com | tcp |
| RU | 46.243.182.88:443 | ads.adlook.me | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.152:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| DE | 37.252.171.85:443 | ib.adnxs.com | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 54.76.45.34:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.52.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.144.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.182.243.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.171.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| DE | 162.19.138.118:443 | lb.eu-1-id5-sync.com | tcp |
| DE | 141.95.98.64:443 | lb.eu-1-id5-sync.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 64.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| SE | 104.73.92.22:443 | lg3.media.net | udp |
| DE | 51.75.86.98:443 | onetag-sys.com | udp |
| DE | 178.63.248.57:443 | uidsync.net | tcp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| DE | 157.90.33.68:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.183:443 | s1.oxy.st | tcp |
| US | 8.8.8.8:53 | 183.234.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 172.67.174.127:443 | tmzr.themoneytizer.fr | tcp |
| US | 8.8.8.8:53 | 127.174.67.172.in-addr.arpa | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 8.8.8.8:53 | lexicon.33across.com | udp |
| DE | 162.19.138.118:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 35.244.193.51:443 | lexicon.33across.com | tcp |
| IE | 52.48.217.227:443 | id.crwdcntrl.net | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| DE | 141.95.98.64:443 | lb.eu-1-id5-sync.com | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| DE | 162.19.138.118:443 | lb.eu-1-id5-sync.com | tcp |
| US | 8.8.8.8:53 | 51.193.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.217.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.195.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.157:443 | i.ibb.co | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | 157.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | central-feb.gl.at.ply.gg | udp |
| US | 147.185.221.19:50764 | central-feb.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 168.22.248.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.157:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 157.145.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| US | 147.185.221.19:50764 | central-feb.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| FR | 51.178.195.208:443 | ww1097.smartadserver.com | tcp |
| US | 147.185.221.19:50764 | central-feb.gl.at.ply.gg | tcp |
Files
\??\pipe\crashpad_3796_ZGWJXEPFOXXEMDVA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a0d34707eb426b93eb9a76890c3d866f |
| SHA1 | 976bca51acbed1c6515da326f1e6820f65d58789 |
| SHA256 | 05867a12698cabe11a22ba4447049e29c760f1c770bc8e54478151e5116534dc |
| SHA512 | f633ddd7f6ea7db26201a951efed397623d0709aa69dec9c3d0d34ccfbe492ad2e4063a3f144cd73a161198f9c5400a4dbb87ea78d9783f283238cffc931c226 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 17bbf5e159eb72a4589bf1a20520555b |
| SHA1 | 5812a58308d2112878b40771768c37e777879f50 |
| SHA256 | 980f040a7649e18a7ebbc010013fb7fc4359c0c35da661605ea1957cf13c5cc6 |
| SHA512 | a72ef74a2b65910a8f7337cc3fc9a49f28dbcfe77b101c8007481937a149bb79ac1cd1a47e6a2091e02ca7c7daccd7ab2bac9742006ed99a54b4721cfe6f795a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d0b456423b58d2d71939cce0bbe9d748 |
| SHA1 | 980df31784196bec792d6b0510b043eab4fd4513 |
| SHA256 | 99051292ff1a171b4cbe1aa61992e370d7a8c9c0e0b49bcd4031b29c7d4a17ec |
| SHA512 | 3da06856b4f2916517ecae9ecdf370eabe500c64c8f6e3284ce9bda5560d701580bada4e2a64f1f1c9e7aa943ea3e938b1f706bb284e77e8497ef367fe643480 |
C:\Users\Admin\Downloads\WizClient.exe
| MD5 | 6bf4ad91ceecec2e95da9fcfd6b7f14e |
| SHA1 | 0f1f78c64c80788b79d0676c5d16d4e3b71b5865 |
| SHA256 | ece66b6dde3529ecbc10f472b6a6101c1d47822c5345f29cd0a16bd25e26e9b8 |
| SHA512 | 3276ceed225b52f7ca77e1679063095135b790bd2eb35a52e3bb63b599b775f1e1d0eb24ab9888f89376e2143724228016dc28b746442631d30d89b004a83d64 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b60ee71d90265c0b3cc8e11393797b19 |
| SHA1 | 1634d742068e7889e9141aa4c41e71f94ea942fc |
| SHA256 | 726b66ed5fd45018b570ccbc8fb85090525c7f4418fd13460e4f509cb6c44b36 |
| SHA512 | b19d8f293f17d9ed38ccdfec45277c2250062f85ef110a68d5eec396a9cc82253c6bb17b5f25a8eb3c039b04b3c27f6140af3f10d417c4da1013a0e5dba4d99c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 955c4d18e198a6e4a083135a8a932aa7 |
| SHA1 | e7c403fd4b7583eee07616464a6a0292371dd1f7 |
| SHA256 | 41b369bad7b0fef979d7238001795045f7304a9e9f995a5d8ade629c024e925c |
| SHA512 | 0e14d1ee80311b1af08ce6a096ac1e5cf3c5b174b03eee0d3209dc9169a4017a2daa64e64b888c67a423616c28ac0631e2adc304853e9db2e1b4c10380dad334 |
memory/4480-266-0x0000000000DD0000-0x0000000000DE4000-memory.dmp
memory/4480-267-0x00007FF8A1223000-0x00007FF8A1224000-memory.dmp
memory/528-274-0x00000176D3EB0000-0x00000176D3ED2000-memory.dmp
memory/528-277-0x00000176EC6A0000-0x00000176EC716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptkdtvkk.cym.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 330958932658c874bd9cdfc227aac9ca |
| SHA1 | 5d994020e81fd400933caac5aa252edf39893db4 |
| SHA256 | 11a4e386dc8bd1bbba97ecaa47ed647c6f08e4a231f4f0ed51b492ec8cde1e67 |
| SHA512 | d83c7f5014cb6f750c11f3606522afadb79bff37bfaf3aeb6b2476761043af441522c994ece176fc1f98e414e522411227b28ad6731d4e79e06bd3cb0c40f8d7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 811c36f3efe6b88076465d2f8e402406 |
| SHA1 | 4fcb593f17f094c9add57916df89e7bb879280f1 |
| SHA256 | af12d74bd08be3eec6b7dedde635d6cd47d542bc12932a52aaa38cd966816b08 |
| SHA512 | 36613ca1efa1121f865e684a75aded47a82a846b89e95791f681bb8d8da87552461ea0157801c4d1fe7576bf6f269506c0d41405c380a6c6bcdf96f733939dbc |
memory/4480-415-0x00007FF8A1220000-0x00007FF8A1C0C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bc8fb527cb597a02e65ae87b05168ec6 |
| SHA1 | 3886fe97f0dc2b9083c428f12b99a179962803f5 |
| SHA256 | a2bf266b6e31336f1b192ce87195b428698fdfc4ddb9e2149d7358f3affd531f |
| SHA512 | 7e1bedf38a761de5303c915bde611f59b2c271fc183de70c1541640695ffc0fd7f174b7b209b3e244bbdbe4fe69ee5cfb485458b8d2321e2ffacf5644980e422 |
memory/4480-422-0x000000001C970000-0x000000001C97E000-memory.dmp
memory/4480-423-0x00007FF8A1223000-0x00007FF8A1224000-memory.dmp
memory/4480-424-0x00007FF8A1220000-0x00007FF8A1C0C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 4909f79ebabe713ee1d25ae77a3ca7ab |
| SHA1 | 41afe4c9c887e7eb459f61d304b3f6c8583d7f5e |
| SHA256 | 003c5d23910d3f0f054e9d070f5ee8676753364e4478316f4cea7f115144b2d5 |
| SHA512 | a3ed672536e60cd041116a7e348af3d016599cb7aa12dafa39bbf926906ecb455b01c4aac206799316ff3478e56cbb24a0e07dc46449697d6c5a6cd0bc652d4b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 15:31
Reported
2024-05-27 15:36
Platform
win10v2004-20240508-en
Max time kernel
299s
Max time network
307s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612975026887317" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://oxy.name/d/AeSh
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7bf2ab58,0x7ffa7bf2ab68,0x7ffa7bf2ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4152 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4140 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3100 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1920,i,5975561202194065802,16855079488683708862,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oxy.name | udp |
| US | 104.21.70.24:443 | oxy.name | tcp |
| US | 8.8.8.8:53 | oxy.st | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.20.217.172.in-addr.arpa | udp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| BE | 2.21.16.25:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| SE | 104.73.92.22:443 | lg3.media.net | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| DE | 91.228.74.244:443 | secure.quantserve.com | tcp |
| IE | 52.209.209.171:443 | adtrack.adleadevent.com | tcp |
| RU | 178.154.131.215:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| FR | 52.222.144.21:443 | rules.quantcount.com | tcp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| DE | 23.88.8.125:443 | system-notify.app | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| FR | 142.250.75.234:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| RU | 176.122.21.226:443 | ads.adlook.me | tcp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.16.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.63.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.92.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.209.209.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.131.154.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| FR | 145.239.192.166:443 | tag.leadplace.fr | tcp |
| BE | 88.221.83.138:443 | ced.sascdn.com | tcp |
| DE | 51.75.86.98:443 | onetag-sys.com | tcp |
| IE | 54.76.45.34:443 | p.cpx.to | tcp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| DE | 37.252.171.52:443 | ib.adnxs.com | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 104.22.53.86:443 | cdn.id5-sync.com | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 54.76.45.34:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | 198.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.8.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.122.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.192.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.45.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.86.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.53.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.171.252.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.144.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| DE | 141.95.98.65:443 | id5-sync.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.33.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.98.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 172.67.174.127:443 | tmzr.themoneytizer.fr | tcp |
| US | 8.8.8.8:53 | lexicon.33across.com | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| DE | 141.95.98.65:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 35.244.193.51:443 | lexicon.33across.com | tcp |
| IE | 52.48.217.227:443 | id.crwdcntrl.net | tcp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| DE | 141.95.98.65:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | 127.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.217.48.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.193.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.55.17.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| NL | 81.17.55.113:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 96.209.135.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | 168.22.248.34.in-addr.arpa | udp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| FR | 5.135.209.96:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 192.192.149.89.in-addr.arpa | udp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
| NL | 89.149.192.192:443 | ww1097.smartadserver.com | tcp |
Files
\??\pipe\crashpad_3600_LKJXMZKDGZLPNEFM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 4796198af48fabf335e41a459e1444c8 |
| SHA1 | 87846c3646fc132cfe13b235e33734ec1d6b8fdc |
| SHA256 | eab5c8006b336e77e84fa1cdeb46ffb5b35e73345a79afae58046a1a3865822f |
| SHA512 | 63341f0852313f1b3ea8ac18f52e80d607a8e9a68578ca52d0e584a59dfccffdedc8419f5d19156976692df450e506c59d4f635723c54c0110c9045d8d1ac388 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | de8ccdc2dd19a67751b3a8c2db7b16b0 |
| SHA1 | a533fa8dd3b9b710028a3a49288796851771fe51 |
| SHA256 | a74e87941cfa8bfaa37eb2887765a38d3878321b8d05d72d0f809c467e4d3aed |
| SHA512 | 7bdd9ac70e516b0ed821cfbd6455eff1b03a8b76d2b7d0d4b4189566e6bce7dac3cfb38ae8e73863a57ef6cc50cbd40bb7547d17b67df13a4ebc72fc04811bc9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | be82251ed5c9a863485e86bf8fbfdb84 |
| SHA1 | 7128642f2415939cdde71520e1615fe2180740a3 |
| SHA256 | ba1ca0152d2d9a0f0baffa6246cdb128170e30c845d82fa3a55cb842b8aa7004 |
| SHA512 | 94c120ba1c7a39930e2ba6c1853318a51b9f8ac0188dcb781d3053a458ca6e81a14b3f1f12edba2b3210935fbf3371aaa0c15465f094ecc23070b7199522e47b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9b1c24574350a59f312471bc8ae1187a |
| SHA1 | 18fbfd44767ad8ac1542c94531bc616ff54b6c78 |
| SHA256 | 43943c869ccd27ed51a63a71303950087d2aacc85928ce0142a682774d87983e |
| SHA512 | 8a8fd76a513ac295e88ce8b05616f4a0799031908b2b99fac89a46ad297cde30fb5ea26409786a8e84002252812ac6cb3058380a56a616f5807e84ce88dd2d9e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d301b9b0c967f1926cbcf8320c9ea8d7 |
| SHA1 | 926a0c460cb67c32c59496f305301afa38adbbfd |
| SHA256 | bff103073e74da237c8a90b5b69257a377bfea23c6af9772c5e9ddf719c05745 |
| SHA512 | ff690c1284841414143c54601c14fffa2ea73b500c38fc03513734abb5048018498ec617a1e0e64980731f8e6f2347bb6b5fa0e13a9f41c0341f8b97dd00162f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e859c5d8de555fd18d1718328344e300 |
| SHA1 | 88bc3fad61bf1679df7d03225023902cc9d2dbdd |
| SHA256 | 92b5a3c1b53b666e1bcc076f8ffb8907cf152d87129e0ec060eb87939fd50aa7 |
| SHA512 | ce7ca482f486806b078048eed92cd8901d11f39e109d5f4b4b8d0b3c7aef1f4a750b28143c47074a9b5b70359195de2f75f2b6121b2fcfa1af8148bdb822d54a |