umbral | e82372deee967ba8a1a74e29a8887ac64e700554153267d09a184986a98efa29

Analysis

max time kernel
2699s
max time network
2696s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23/06/2024, 11:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheeto.exe
Size

229KB
MD5

72614d4abc76ec3142bdc6d5bda7c38e
SHA1

2b616f0b13d92557a7cd73935b3e7e301e294757
SHA256

e82372deee967ba8a1a74e29a8887ac64e700554153267d09a184986a98efa29
SHA512

56d7a569b012da9f9ab99044ac3ed489e1f11a233122b7271f2396e5a11d8e5ddf4f58b8bfa18ae96cbc55c57213d812622777b6fc8684ea96a4919ba202b7c4
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4f6/Ff1DA0rVSjVg8Z+9vb8e1mZi:noZtL+EP8f6Nf1DA0rVSjVg8Z2f

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/436-0-0x000001C8B84D0000-0x000001C8B8510000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5112	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cheeto.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
1	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
860	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636147488275763"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2344	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
436	cheeto.exe
5112	powershell.exe
5112	powershell.exe
3872	powershell.exe
3872	powershell.exe
2336	powershell.exe
2336	powershell.exe
3048	powershell.exe
3048	powershell.exe
3352	powershell.exe
3352	powershell.exe
1960	chrome.exe
1960	chrome.exe
1652	chrome.exe
1652	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	cheeto.exe
Token: SeIncreaseQuotaPrivilege	4124	wmic.exe
Token: SeSecurityPrivilege	4124	wmic.exe
Token: SeTakeOwnershipPrivilege	4124	wmic.exe
Token: SeLoadDriverPrivilege	4124	wmic.exe
Token: SeSystemProfilePrivilege	4124	wmic.exe
Token: SeSystemtimePrivilege	4124	wmic.exe
Token: SeProfSingleProcessPrivilege	4124	wmic.exe
Token: SeIncBasePriorityPrivilege	4124	wmic.exe
Token: SeCreatePagefilePrivilege	4124	wmic.exe
Token: SeBackupPrivilege	4124	wmic.exe
Token: SeRestorePrivilege	4124	wmic.exe
Token: SeShutdownPrivilege	4124	wmic.exe
Token: SeDebugPrivilege	4124	wmic.exe
Token: SeSystemEnvironmentPrivilege	4124	wmic.exe
Token: SeRemoteShutdownPrivilege	4124	wmic.exe
Token: SeUndockPrivilege	4124	wmic.exe
Token: SeManageVolumePrivilege	4124	wmic.exe
Token: 33	4124	wmic.exe
Token: 34	4124	wmic.exe
Token: 35	4124	wmic.exe
Token: 36	4124	wmic.exe
Token: SeIncreaseQuotaPrivilege	4124	wmic.exe
Token: SeSecurityPrivilege	4124	wmic.exe
Token: SeTakeOwnershipPrivilege	4124	wmic.exe
Token: SeLoadDriverPrivilege	4124	wmic.exe
Token: SeSystemProfilePrivilege	4124	wmic.exe
Token: SeSystemtimePrivilege	4124	wmic.exe
Token: SeProfSingleProcessPrivilege	4124	wmic.exe
Token: SeIncBasePriorityPrivilege	4124	wmic.exe
Token: SeCreatePagefilePrivilege	4124	wmic.exe
Token: SeBackupPrivilege	4124	wmic.exe
Token: SeRestorePrivilege	4124	wmic.exe
Token: SeShutdownPrivilege	4124	wmic.exe
Token: SeDebugPrivilege	4124	wmic.exe
Token: SeSystemEnvironmentPrivilege	4124	wmic.exe
Token: SeRemoteShutdownPrivilege	4124	wmic.exe
Token: SeUndockPrivilege	4124	wmic.exe
Token: SeManageVolumePrivilege	4124	wmic.exe
Token: 33	4124	wmic.exe
Token: 34	4124	wmic.exe
Token: 35	4124	wmic.exe
Token: 36	4124	wmic.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe
1652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4124	436	cheeto.exe	77
PID 436 wrote to memory of 4124	436	cheeto.exe	77
PID 436 wrote to memory of 2992	436	cheeto.exe	80
PID 436 wrote to memory of 2992	436	cheeto.exe	80
PID 436 wrote to memory of 5112	436	cheeto.exe	82
PID 436 wrote to memory of 5112	436	cheeto.exe	82
PID 436 wrote to memory of 3872	436	cheeto.exe	84
PID 436 wrote to memory of 3872	436	cheeto.exe	84
PID 436 wrote to memory of 2336	436	cheeto.exe	86
PID 436 wrote to memory of 2336	436	cheeto.exe	86
PID 436 wrote to memory of 3048	436	cheeto.exe	88
PID 436 wrote to memory of 3048	436	cheeto.exe	88
PID 436 wrote to memory of 1656	436	cheeto.exe	90
PID 436 wrote to memory of 1656	436	cheeto.exe	90
PID 436 wrote to memory of 4264	436	cheeto.exe	92
PID 436 wrote to memory of 4264	436	cheeto.exe	92
PID 436 wrote to memory of 3476	436	cheeto.exe	94
PID 436 wrote to memory of 3476	436	cheeto.exe	94
PID 436 wrote to memory of 3352	436	cheeto.exe	96
PID 436 wrote to memory of 3352	436	cheeto.exe	96
PID 436 wrote to memory of 860	436	cheeto.exe	98
PID 436 wrote to memory of 860	436	cheeto.exe	98
PID 436 wrote to memory of 4796	436	cheeto.exe	100
PID 436 wrote to memory of 4796	436	cheeto.exe	100
PID 4796 wrote to memory of 2344	4796	cmd.exe	102
PID 4796 wrote to memory of 2344	4796	cmd.exe	102
PID 1960 wrote to memory of 1388	1960	chrome.exe	108
PID 1960 wrote to memory of 1388	1960	chrome.exe	108
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 3148	1960	chrome.exe	109
PID 1960 wrote to memory of 432	1960	chrome.exe	110
PID 1960 wrote to memory of 432	1960	chrome.exe	110
PID 1960 wrote to memory of 3348	1960	chrome.exe	111
PID 1960 wrote to memory of 3348	1960	chrome.exe	111
PID 1960 wrote to memory of 3348	1960	chrome.exe	111

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cheeto.exe
"C:\Users\Admin\AppData\Local\Temp\cheeto.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\cheeto.exe"
  2⤵
  - Views/modifies file attributes
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cheeto.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4264
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:860
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\cheeto.exe" && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97200ab58,0x7ff97200ab68,0x7ff97200ab78
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:2
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:1
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4348 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1796,i,13074497499391876259,2648692014614088414,131072 /prefetch:8
  2⤵
  PID:2352

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97200ab58,0x7ff97200ab68,0x7ff97200ab78
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3820 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4316 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4736 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4716 --field-trial-handle=1940,i,739001258986638570,13851075112784601801,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4576

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2608

Network

DNS

gstatic.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

172.217.16.227
DNS

8.8.8.8.in-addr.arpa

cheeto.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

ip-api.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
DNS

discord.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.138.232
DNS

clientservices.googleapis.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

clientservices.googleapis.com

IN A

Response

clientservices.googleapis.com

IN A

142.250.187.195
DNS

202.187.250.142.in-addr.arpa

cheeto.exe

Remote address:

8.8.8.8:53

Request

202.187.250.142.in-addr.arpa

IN PTR

Response

202.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f101e100net
DNS

238.16.217.172.in-addr.arpa

cheeto.exe

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f14�I
DNS

clients2.google.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206
DNS

nexusrules.officeapps.live.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.227.11
DNS

67.169.217.172.in-addr.arpa

cheeto.exe

Remote address:

8.8.8.8:53

Request

67.169.217.172.in-addr.arpa

IN PTR

Response

67.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f31e100net
DNS

clientservices.googleapis.com

cheeto.exe

Remote address:

8.8.8.8:53

Request

clientservices.googleapis.com

IN A

Response

clientservices.googleapis.com

IN A

142.250.187.195
DNS

227.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.16.217.172.in-addr.arpa

IN PTR

Response

227.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f31e100net

227.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f3�H
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

232.137.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.137.159.162.in-addr.arpa

IN PTR

Response
DNS

www.googleapis.com

Remote address:

8.8.8.8:53

Request

www.googleapis.com

IN A

Response

www.googleapis.com

IN A

142.250.187.202

www.googleapis.com

IN A

142.250.180.10

www.googleapis.com

IN A

142.250.200.42

www.googleapis.com

IN A

172.217.169.10

www.googleapis.com

IN A

142.250.179.234

www.googleapis.com

IN A

142.250.200.10

www.googleapis.com

IN A

142.250.178.10

www.googleapis.com

IN A

142.250.187.234

www.googleapis.com

IN A

172.217.16.234

www.googleapis.com

IN A

216.58.204.74

www.googleapis.com

IN A

172.217.169.74

www.googleapis.com

IN A

216.58.201.106
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.187.196
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

apis.google.com

Remote address:

8.8.8.8:53

Request

apis.google.com

IN A

Response

apis.google.com

IN CNAME

plus.l.google.com

plus.l.google.com

IN A

172.217.16.238
DNS

play.google.com

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.169.46
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdcus03.centralus.cloudapp.azure.com

onedscolprdcus03.centralus.cloudapp.azure.com

IN A

13.89.178.27
GET

http://ip-api.com/line/?fields=hosting

cheeto.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 23 Jun 2024 11:11:48 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/json/?fields=225545

cheeto.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sun, 23 Jun 2024 11:11:50 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 57
X-Rl: 43
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CIn/ygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

196.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.187.250.142.in-addr.arpa

IN PTR

Response

196.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f41e100net
DNS

www.gstatic.com

Remote address:

8.8.8.8:53

Request

www.gstatic.com

IN A

Response

www.gstatic.com

IN A

216.58.212.195
DNS

195.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.212.58.216.in-addr.arpa

IN PTR

Response

195.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f31e100net

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f3�H

195.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f195�H
DNS

46.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.169.217.172.in-addr.arpa

IN PTR

Response

46.169.217.172.in-addr.arpa

IN PTR

lhr48s08-in-f141e100net
DNS

fonts.gstatic.com

Remote address:

8.8.8.8:53

Request

fonts.gstatic.com

IN A

Response

fonts.gstatic.com

IN A

216.58.201.99
DNS

beacons.gcp.gvt2.com

Remote address:

8.8.8.8:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

172.217.169.67
DNS

27.178.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.178.89.13.in-addr.arpa

IN PTR

Response
GET

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.iZZZ0XsR8bM.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAQ/rs=AHpOoo_0-97nH_2IxP0suYF105-PdJv4zg/cb=gapi.loaded_0

chrome.exe

Remote address:

172.217.16.238:443

Request

GET /_/scs/abc-static/_/js/k=gapi.gapi.en.iZZZ0XsR8bM.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAQ/rs=AHpOoo_0-97nH_2IxP0suYF105-PdJv4zg/cb=gapi.loaded_0 HTTP/2.0
host: apis.google.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CIn/ygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

https://play.google.com/log?format=json&hasfast=true

chrome.exe

Remote address:

172.217.169.46:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 947
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
content-type: application/x-www-form-urlencoded;charset=UTF-8
accept: */*
origin: chrome-untrusted://new-tab-page
x-client-data: CIn/ygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.2%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D46%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D46%2526e%253D1

chrome.exe

Remote address:

142.250.187.206:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.2%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D46%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D46%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=20.SE=TJt7d7FXwiNpTAx9kU6j_WVtgdiKZX0xQztf3R7yWFszbS3HLEksnhWG33m4AnYDIYOT9JFndRojqUWV7mLx1Qy2K8hiKk4bliv8qMHN4xABOUEHV_pmshsU_c99r2vzbEDXxj0Ox9nMjW0XRBG808gaTDPIrr4MQp5gMjo743Q
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.169.67:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 270
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.169.67:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 540
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

172.217.169.67:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 637
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

172.217.16.227:443

gstatic.com

tls

cheeto.exe

803 B
5.3kB
8
8
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

cheeto.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

cheeto.exe

285 B
472 B
5
3

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.137.232:443

discord.com

tls

cheeto.exe

444.1kB
11.9kB
330
117
142.250.187.196:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

2.8kB
44.5kB
36
53

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
172.217.16.238:443

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.iZZZ0XsR8bM.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAQ/rs=AHpOoo_0-97nH_2IxP0suYF105-PdJv4zg/cb=gapi.loaded_0

tls, http2

chrome.exe

3.0kB
50.8kB
38
43

HTTP Request

GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.iZZZ0XsR8bM.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAQ/rs=AHpOoo_0-97nH_2IxP0suYF105-PdJv4zg/cb=gapi.loaded_0
172.217.169.46:443

https://play.google.com/log?format=json&hasfast=true

tls, http2

chrome.exe

2.8kB
9.3kB
15
17

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true
142.250.187.206:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.2%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D46%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D46%2526e%253D1

tls, http2

chrome.exe

2.1kB
9.6kB
15
18

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.2%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D46%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D46%2526e%253D1
142.250.187.196:443

www.google.com

tls

chrome.exe

953 B
4.6kB
8
9
172.217.169.67:443

beacons.gcp.gvt2.com

tls, http2

chrome.exe

999 B
5.6kB
9
8
172.217.169.67:443

https://beacons.gcp.gvt2.com/domainreliability/upload

tls, http2

chrome.exe

4.4kB
8.2kB
36
37

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

8.8.8.8:53

gstatic.com

dns

cheeto.exe

747 B
1.2kB
11
11

DNS Request

gstatic.com

DNS Response

172.217.16.227

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

ip-api.com

DNS Response

208.95.112.1

DNS Request

discord.com

DNS Response

162.159.137.232

162.159.135.232

162.159.128.233

162.159.136.232

162.159.138.232

DNS Request

clientservices.googleapis.com

DNS Response

142.250.187.195

DNS Request

202.187.250.142.in-addr.arpa

DNS Request

238.16.217.172.in-addr.arpa

DNS Request

clients2.google.com

DNS Response

142.250.187.206

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.227.11

DNS Request

67.169.217.172.in-addr.arpa

DNS Request

clientservices.googleapis.com

DNS Response

142.250.187.195
8.8.8.8:53

227.16.217.172.in-addr.arpa

dns

760 B
1.5kB
11
11

DNS Request

227.16.217.172.in-addr.arpa

DNS Request

1.112.95.208.in-addr.arpa

DNS Request

232.137.159.162.in-addr.arpa

DNS Request

www.googleapis.com

DNS Response

142.250.187.202

142.250.180.10

142.250.200.42

172.217.169.10

142.250.179.234

142.250.200.10

142.250.178.10

142.250.187.234

172.217.16.234

216.58.204.74

172.217.169.74

216.58.201.106

DNS Request

www.google.com

DNS Response

142.250.187.196

DNS Request

195.187.250.142.in-addr.arpa

DNS Request

apis.google.com

DNS Response

172.217.16.238

DNS Request

play.google.com

DNS Response

172.217.169.46

DNS Request

206.187.250.142.in-addr.arpa

DNS Request

11.227.111.52.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

13.89.178.27
142.250.187.196:443

www.google.com

https

chrome.exe

3.1kB
7.1kB
9
8
8.8.8.8:53

196.187.250.142.in-addr.arpa

dns

481 B
808 B
7
7

DNS Request

196.187.250.142.in-addr.arpa

DNS Request

www.gstatic.com

DNS Response

216.58.212.195

DNS Request

195.212.58.216.in-addr.arpa

DNS Request

46.169.217.172.in-addr.arpa

DNS Request

fonts.gstatic.com

DNS Response

216.58.201.99

DNS Request

beacons.gcp.gvt2.com

DNS Response

172.217.169.67

DNS Request

27.178.89.13.in-addr.arpa
224.0.0.251:5353

chrome.exe

408 B
6
142.250.187.196:443

www.google.com

https

chrome.exe

10.1kB
196.6kB
82
190
172.217.16.238:443

apis.google.com

https

chrome.exe

4.7kB
51.5kB
26
44
172.217.169.46:443

play.google.com

https

chrome.exe

6.3kB
8.1kB
16
16
142.250.187.206:443

clients2.google.com

https

chrome.exe

3.9kB
8.1kB
11
12
172.217.169.67:443

beacons.gcp.gvt2.com

https

chrome.exe

2.9kB
6.3kB
5
7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
60bbc192dd26ee52247b0156ee1df427

SHA1
ac903b225dfb28bb8e1648653fb5712bc205916b

SHA256
1644b5e335173640acc6e79f9212c9b84c0498308db5168a0e9a6011f02c609b

SHA512
767dd86ede9b08cbd3a048cc93f8e0a64ee0e8924ee6272a89a3da608228e722e7872d44a066c3e2a13b8a27df9b40e46a7b28498e7936fecd8c97d13c5c36b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
6e0c39e4221aebb5cbd03c3aab629913

SHA1
dbaa812068e93f8331b8474c0c71e105d1f2c4c8

SHA256
82034312e7af64469d5bed106ad6b0d83601f4e57eb888f184fb515b1a6b6aec

SHA512
6c4d95279abcb13242f457d9ca4da7c84c3d25a2e51d2078430bad8e79ae1c6534b6fd9e8b098c95bd06fa553876e6f7c9321b12d1604c9e866b1d95cc152f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
6f6c33afd34e64194371b6e449401679

SHA1
a420961672ac707619bf3bca3dbd08fe6fbd2f11

SHA256
62add6c4720000dd7533afad0e4fd87ce9bb377543b94e350935837c7e46da08

SHA512
a2f1b4d3293490242340bf153bf8aaf53218a45c8113ed9c5468ae23011486d51d4671fa8057e9cee6d2ef410b482b569b25852ce623146a3c13b5c6c52b6c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
011e4aca502eff80e9b69ba422e1dc72

SHA1
be09cade14d8ebb3a8f5e7f0bace2efac4c75dba

SHA256
da52c160a1e6e0d2a6a3be6c40de0359229d3ff38cddf01723c635c38874ed95

SHA512
9ace6cc51c9eade6f8dc516043ab0a20c05c80e7f2166dec86d07b1a341ec011a966ed8613890d33e807d3955f6b21fa4b139f287e9016e199ed6377e533c554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
54043669662d05105013aecd8fa81615

SHA1
dc650be86cd4e342d2ba4c944d2047eecbfd187d

SHA256
f702c8a438f79ab4d99042f7bf9cce31b0a777d88d464931af18a17002057f46

SHA512
9c21f8597a60c0b55592c884d78dda1792b34ed0d33b4a05bb01151a01e5cd684241d58865f9d07ce919e58d24ac8e40786e01a8cced5863db06349b272822a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
34KB

MD5
a7bc61aa08dc38d8d8a6e02d8cc75972

SHA1
a602a43dd886d50c9937fd8de66f0df789ae5967

SHA256
e7418dd8e55d31fab9f5248c3ae5e7c94eaf99fb4dd9a2c05d9bfe77f7607526

SHA512
946440af2166afa47785a409ef805644ecb015af628249345ba349927e8edfd34ee6a7ef9594b6cb9fa7c8057b90637265f249a44d8d91e0c5770d518e38deef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
59KB

MD5
caaa5222d179a24ca5540080c7018b99

SHA1
1f415a7a73a12a4c16f25709504f4e4e4beae9dd

SHA256
b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf

SHA512
71b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
41KB

MD5
cfd2fdfedddc08d2932df2d665e36745

SHA1
b3ddd2ea3ff672a4f0babe49ed656b33800e79d0

SHA256
576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536

SHA512
394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4043ab332bc96640727854d0c6183034

SHA1
12aa7186d5dffd31d88adfff9c1557c82e82a8a5

SHA256
40e3048e9664fbe9f316d0bafe8ae9d80a026e03485307f7d6dec33f582f0646

SHA512
24f84d635406ca715283af07672c344a9e4f6cfb26d32a17218e152736f2ffe3c4eecc25899746314c55d05d091ebecd23dba581bb69aed5ab24be492769bd78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
317B

MD5
284a4a0938c25db2b7f3168008d3b0ff

SHA1
a8bdabb5c9ecfa121ba3db5cd9c03a703c65e1be

SHA256
a56d336a144ec2efeba12a2e3c8b54d17501652379e02e28154c33f36514f0e6

SHA512
b220cb1a3aa84afbfba328b42e7cc90cb51d86dd1d077d7a3b7908e37b8e74aa6d0d8cbebdb25f7b0614ccb4c98dd5157e506a879a44d40dd51ed1799d7d20af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
29b3137234d0c65ebf357aa80cf8d428

SHA1
b37dde924414bd806ec1fc38f50b2296ffbf0a9d

SHA256
6ac34ffc34165f4846bb81da5c32c6c7097751b881c3c102f89909990022eaa3

SHA512
48018b649bf5558aa89446c4d109b018a89b0ed923715932bba295c9deb97ae00da62a6aaadc68a1088952820fc87ffba7e96adf40bcef9b12605c7710139c8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
2e2ee494dcc8f53c145072209a1661b1

SHA1
ac824af8d1810e3148f0817281ce1fcef0c2407f

SHA256
2cbf45b9ebf80a33dffe6898923df9a25de0c304e2c4d9be0a43f9d93ac8bad8

SHA512
51eee210a8a2bd8f05bcdb4c84831e37d3be648195feda8e1721b2126efe2e2157783e7c17402c52a24206ec8653bfffb35f1e4be69580d76acd804321542675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
33c1929ec889259977fad8360c1cffcb

SHA1
f700ee4f4c82adc1bcc6c26a1affaaadc2126d0f

SHA256
e50d3f4b63348ba207fbfcfb92bd630e016a5351775f9a33ddb88dc99fa2a97c

SHA512
9758b86c4ebc9d9c80cc0006b37066970ed1b082cc531df6cd7b65d14806ddaf6c7d179823874fbb86d08fd28991838095564e65e4765255afa6e5439b41456c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2ef8ddf8c4d2f46cbb10d9effcc05527

SHA1
70c95ca7c8060011485a3a138a35d8633b2501d1

SHA256
7294cbe60282db685bf18d8225e1ecf4a2b89b1db582c1010c44b1093e08c064

SHA512
df4e63f23150ec4e093e159a9b14506ce7588f4d7a95a0f2eade5ddef366716a74642cf5827554b486ab1878c12bad81bb160198756132147753177c9006e142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
be56c5b38955227f9c191b721bbae53e

SHA1
f010757699ddfa6f873edfb0626742a9e5fa3c3a

SHA256
61b026ef699d660a3d68bac7eaba70c3604f3f7a77bee043822530502642c889

SHA512
08207b6069bc20d891bfb6c8c63117be474a06895b0d9394732bf8afecc6da235d184ab8dc5021faf596c692b0fdd01ec107e4b19cf706302053a22bfe95fe61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
09a6c002a5409ecbf9a6e9ed35f74cab

SHA1
3e7de551035df32d5b425a994d847d87771783e9

SHA256
9a067635380849c299897b24dd7846170bdee48740d6d0ec6d29a6a2f385248a

SHA512
600a5045a7e1467e867ed3358585619bb6fc726cb0ccfd9930f002dc9e32c03c9f368fadb16d5f6ad0be9ff08b2f9cdd06cfd5eeffc6175ebb5b3a21d62f4b61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
baae5e55facea5f41a617a9bd4f70b86

SHA1
e0895fe6ad826ebcccf4540eb504a1c50b7c9fe5

SHA256
660a4e6d45e4922ddc5c58846dd631c42e3a4d298e9174ea53cf9f8ed3328498

SHA512
594021621d8d6f5e1a280bb1d2ff4ee9cee4235cedf190392b82736a3b3ed56169c3a785a19d13655da1e4caa71b11195fac20991eaa36adba57affe8f120815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c0a1f4708d0fc001d26cc46912df3c55

SHA1
43f862c40e00ee9900b292e82e837f247868cdc1

SHA256
b8d5cd80b01512da0a52cad9584d2945671d35f958db50379144d17f987af046

SHA512
b0a3bc7c11342e64e26c83c0f327c1a4529286753c545bce5d32baf0cc17161897179f99c460fecad99db1f31765bfeeae1fb4cd661696f8c14fe09d88560487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
08f17a4125aeab1775fb41794dbfb5bc

SHA1
722d21d2b1e9f8fa780b3116af9ee1cd32dd761a

SHA256
817dab2f73dd4539ef470e532fe6573071c7816a2af7d51dd07a0e3aab464fae

SHA512
b01fe84171543603d549c7427d5e7be405f9e8c438ced268d2a66d8035f830bfdacb79ceb41d47f661223e8a742ebd44f713e9a433210796cfc1b249790bd145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f53997d83c5dfd439f47f807cd7245e

SHA1
f3cbeef03ffc979c63d6ba6d7465375949e3611b

SHA256
6491a94ba64163deb1ae539fb108c876b7052d2e651d18c6d66b602c17e7c94c

SHA512
71035ec848f44052c647ac4dc6ce39aacafbd9644ce864a6d0e5959b533a12dba21b83d3c08d99290a1ce79b0f9e226c3edbabd218cc78e8f5d975be131a45eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
721405564c0b7988a5d87c6918d7c021

SHA1
dfc7312dd57324b6f54e3dbb0468c0e035bf4064

SHA256
7c39ba0caef0333acd5c0a368f0da04365c16df7bc83e169bc2cd74ebe569924

SHA512
411ddee8526faf34712797f8be72d2fb3d374b6fcf934f97e11622c53660480e79746df2c6da7c4eeebcd00db552c81b9760f4f5b40cad156db6553224d828ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5934f5352e4c7e37795deab3a1f0b39e

SHA1
33347c44867bca38a1ad9cb3acc3f7c06ca69e6f

SHA256
a4fbec2f2fe36608bf407b6c0e5d86dd440e78f2d8c1c438809f4996ee4af690

SHA512
287c31202401754774f4b9849399ff77cf3fae85b5267ba6da837bb907cc4dde3ccba3f4efac1a2a669ef7ab30167fedb05c1269ab91b013dc1c34f42bddc1a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9a2df410f7acf1bda0a9d14dc8fe56e5

SHA1
39f0d3e0733791c7bd8b5bfc6eea77cd6f6b1181

SHA256
609dad0f97bd4c00a18f960235b7711c4fc685460a68d883d37fed4f2032b2f3

SHA512
0417f36c63373fdc385d2c1e23c02285c3b96480545eb499f514fd49446b10f989ad06a45ec07840bd3c373d9016351d84a653ac4c59724cfd8968ed32d6a987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
65ad248c3c6154149d44443fa966586a

SHA1
08c4843e8ce83946a87745757157fbc28f11fcbd

SHA256
30e878e1c4c315631f541e17018a2a5612694b24aa6e2da41bd2bc53f976d0af

SHA512
5b3802e6d9323323e905b8d91c22cbfd24483b97470a2b99b5b0187afcde33e0cdce0a7eac7a6d48efddcd87de6ef8c55b632c4ec80dd7f60fad22cd001a83e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
232B

MD5
8a30a1fdd0459d9ea8b1e78a8e636856

SHA1
9d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20

SHA256
88fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33

SHA512
b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
320B

MD5
c9ee0b55e6073411e1189fdbcca78441

SHA1
f7a9217dd8a0e27668f43f044942efe90580197e

SHA256
069226f23f25d5b48e811ad575c34a66c987cbf4e63576f35246d0c4a583e05d

SHA512
fd5c0153c5a72258eace8106f53ba87617834002bdea546284888da2aac75a542f474a8275c9d7cd2420fc0ec6decb2c704a8cd08ab38a46d731289154c103f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13363614748004516

Filesize
2KB

MD5
41ea1defb61592d8bea56c95268b7176

SHA1
395b950f922a802590feac23191bc58bf09139aa

SHA256
4fe24ede64be4874dcb481a5933b6d63fd2bf13b05db52ddff6a24ab26ea0ae0

SHA512
1e7e9909da8c8de68165e5f8b39795f52f27414b90fe3c864d94238232129fa2c3c272557834098bc088539005c6c5541f58f803ca4f2fea0db0144ef6e38ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
0d985b74827dfb0dd406b5369ecd7bd0

SHA1
7d3eca03f0b08c1f6ea0481aebd07fd324a43735

SHA256
b3efc7787e7b320b236d25876b7d7c306b4c1604207f2f569615f9d1367a7f3b

SHA512
a24a1d86b6d8bcfb9d88b126ac822a8b8811436b15aae71a298d6448cd3162ff8541c43a5dc8db52b9c66dab5a9355ed248b8d69df06662d9940a9c663afff9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
b39be71bcbcffa45d332af2ed5928c0b

SHA1
bb5520be6d50286767ed0c2ac06780eba6b645b3

SHA256
3cde4417e7fb01d7e3469d290552246dd1f21a1c68e076554764eceb2f2c0159

SHA512
9105c12af9bcbdb84b1249ccbe8b079dc24d42ae105476e90a31ba34e477bfb9bc0d7477d2e9610fc82e5584a08b1f15c781f4aa630283b3cbcc4fd8d803e8ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
7b1248eb48525256a214a55a78335b82

SHA1
b026013162e7bd362baad94c11dc61612a2385dc

SHA256
0ab6b44633f4c4466d4a390f630bef73c8242e46cfbf7e4dbc644e5ffb453757

SHA512
e3a6ff2a1e7fd26e6d81ce09a1e1dd62505a10534d84a612daae43e55e9fd524cf7e97e6f46409b9af9c2108514b42b91884a4aa4b24c06ee698826d93fa591c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
1KB

MD5
ff25badda05dd05f3d5d70f0ccd92a30

SHA1
e91aeced231c1329e77d40b52e37a5e7b8150519

SHA256
77208e3c61ecfb226c3deff3f7e112f44d2c3a4b2d8bdd1cb075f0018e7b14f9

SHA512
e44e57c83146ccf2f410ebda612b2e0ca2aaa4c8a200a98d61e867cab3324fc9ea2f4d140ef99bbeef916d29d3b4b3de57611e1cb976dda45314abfd3e3d7747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
32288fc79ae1d627c9755c45370d872c

SHA1
41ba8947349bbec0899760232090c6f7e91a1a81

SHA256
869d24b5b207f869629bf1a5296bdeb46cf53f58e4fba9ad58a3b012a030bfab

SHA512
dab3433848c45db45d28a2d3a91c64a60fd4237edc94fa0959c47153bfd10c1c88dfb7510eb5c6d040c144b7563a12ba40f8152dfb1df36c5bd6eab5ec6d185f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
889B

MD5
befe20692d6033d8186c4b88787a2b72

SHA1
aa80c019d748c6654e252eb90737137228b17707

SHA256
2938ab39d7f856282081d3ad30c1e2da7be573ad534b79d9532d2542671cfaef

SHA512
eb2c9186a8e41be2019b894886cf648b9329b10dc9b76d0ded322ea14d4d31191555458c99717a48117dfb720f54022c8aa14116ce29e682b52cd29c37e2df3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
882cfafea14f13f179694cf6ffeb9f8d

SHA1
c349aa1a98f49d62fd6d71d008266990e2fedf21

SHA256
73ecc42b645fb1ae814696dc7e3ea12a230012d19ec2faefee85dd852029d661

SHA512
ce7e7d48611e0dcc3a57308ef867447d2a43b5deadf85aa3164ff6b1a8d52681b16a9b871f51c6c94d5cd2e721727e83b8f93aa6d3daaaadf4250c69e1f151ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
44KB

MD5
099027031498d58bec921fefacf1ff19

SHA1
0e8732e1171a5e8e94704ef3d4686a91c4fa87de

SHA256
1443f352c9adcb8b37ad0e8ee9a71dd707aa396a34b522b5de6ae8e41c50b931

SHA512
406fc545259681d19684d3f58d72fecfd318495927828ade9eaf6b1b0060b15c812472d87a882f6ef9e4049ae4bcafe39b92c5d1c4e8941d213fe410e65c98e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
c4d0d49131921ad0a5c9ce651c7eeeb8

SHA1
b589ba2879d14c62dec1680b33d401694495fdbd

SHA256
c8505e8925ba82fe13386d1b84f4cd11f547a8d911169889ff2b378c3f6bd113

SHA512
60a20b47334c6edb85a195acc5db85d39129971309c042a6be0d3e424930dd6c76702761331629846db9f3558d94b4757bc0a5ea20b196ced5fc0cc939ef2bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
4.0MB

MD5
1efe2587473d75c80c0b0827d5845397

SHA1
4ab70bdbaa733b4ea46c210cdfdd0eb9c1951982

SHA256
f3205b7453098e79448889fd853cb8b24ccdb3d522939ff85d6aee6a75436d3e

SHA512
ab63c4935ed759b07108286016570902bf66f1519194d19076817f705b7ad1728f60cf861d09b4d0a1fa81d495a62eef0a075165e42549ba6e2d2e1093941241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
5cbabab93584ffc7a2c7cbc2698283d5

SHA1
afc382da29aa2961a9bbfdd7d7221963c9fcdab4

SHA256
eba4b665456906cdfc7ba7115e0c035b3e0d111ec0a0ec5a224e428d25df392d

SHA512
5eed525f3ee322a2f5d51941ed50c35f7e4b82eeea522aef6897e172fcfe70ea0b90197c196f54bdbb167cf6aeec02b1c0db77cfc720d5803bbd507669fb096f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
9f0dcb2b1fd587d3bafb9c701e3621b2

SHA1
c068494c557eb2908340323d012f83d53532e958

SHA256
74da2cad6e8d068cc4ffd5a5cef007c79b77bb50e733a94c3c7b8fbf05b8222e

SHA512
0e05bd50db1c1b927c7afbf809318fec7ac287f53f4a84746a1a379e156634ba7af8fcc10e6e0db6139ef7a5334bd75dc8a674bbaf47b7af8ed55788c6bc1842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
b626c6c9304f060bfe8fdb0aa25ef743

SHA1
4ce08b0288518f1c88617155c9b84a242060dbca

SHA256
0b23f01218f70cc7d91a334543e1fc3434db31feeb6b8b5c59c0f80f2b770162

SHA512
7113d202130b6adb1b1971ebf2606fb95f15d7adbf1d36b8c6817ff0f55baa7dcca9a035fe176008026baf0a02799638801e4eb1d80b66ac87a961c145f8ffb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
49132d0c520380abfe38dd0f81f68191

SHA1
0f347782e7b79d6978310e8ca1b976108163edc5

SHA256
9dbc41680d0292e191e16c95af767e4bc531743c9af7722ee29129d5d7645950

SHA512
992a33aa9a89abc965c22c881e6b6f36a0e83576057673d56435e0c914e3ebc4d0b5007661e7193752ca2e6724951dc1bc2781587e50fbc4ebc3330685c5c82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
60bb6268824fc5b71e33c0090f65726c

SHA1
ea47f392afb796d5328d41562a26a8df9dba8a1a

SHA256
0d98daf3244d6d2c2a56530bf86da3b30c8d807b25de2579178620bee43ab6c7

SHA512
989cc59335b070b9cb8920c78738feb063258ef4034c97a4c58bd719f43851cde6a14de0c152fb148920e0feeefc1674606993641a60f7300c2d7ce6ccc5b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fa21dd50b4e64421076f843031c8ccf7

SHA1
2c56e94f130c0d8d77116e939ffee4e37cf982bd

SHA256
e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

SHA512
b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17d36e2871735da5dc714f2989e25f06

SHA1
15fd7420c63c69cc5c543c1dd51bbd85a32802b5

SHA256
815e7a726cf6bb33f206036ed3e65db8cb93857375275aca95212d6e6ce143e6

SHA512
edf49d1499f99f7eade0ec9c9459bb82629059b1bec78dca5a7df465a78c9b4d026c4c0da7c7be590606dba96402d9cc2186b305f4f994dd85a3d291e3d2d5e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
df46eb1fe5d54a0521d9965203a4a9da

SHA1
e977aae1bb82f3d57267ead3b91df3d82d6d50c6

SHA256
6076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d

SHA512
5bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q04zb405.vv3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/436-85-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download
memory/436-68-0x000001C8BA620000-0x000001C8BA632000-memory.dmp

Filesize
72KB

Download
memory/436-32-0x000001C8BA5B0000-0x000001C8BA600000-memory.dmp

Filesize
320KB

Download
memory/436-33-0x000001C8BA430000-0x000001C8BA44E000-memory.dmp

Filesize
120KB

Download
memory/436-31-0x000001C8D2D20000-0x000001C8D2D96000-memory.dmp

Filesize
472KB

Download
memory/436-0-0x000001C8B84D0000-0x000001C8B8510000-memory.dmp

Filesize
256KB

Download
memory/436-1-0x00007FF971813000-0x00007FF971815000-memory.dmp

Filesize
8KB

Download
memory/436-2-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download
memory/436-67-0x000001C8BA590000-0x000001C8BA59A000-memory.dmp

Filesize
40KB

Download
memory/5112-17-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download
memory/5112-3-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download
memory/5112-12-0x000001CFCA9E0000-0x000001CFCAA02000-memory.dmp

Filesize
136KB

Download
memory/5112-14-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download
memory/5112-13-0x00007FF971810000-0x00007FF9722D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.