cryptolocker | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

Analysis

max time kernel
110s
max time network
110s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08/01/2025, 16:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CryptoLocker.exe
Size

338KB
MD5

04fb36199787f2e3e2135611a38321eb
SHA1

65559245709fe98052eb284577f1fd61c01ad20d
SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512

533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
SSDEEP

6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Deletes itself 1 IoCs

pid	Process
3352	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
3352	{34184A33-0407-212E-3320-09040709E2C2}.exe
2448	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808287647273911"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
928	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 2840 wrote to memory of 4216	2840	chrome.exe	83
PID 2840 wrote to memory of 4216	2840	chrome.exe	83
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 2248	2840	chrome.exe	85
PID 2840 wrote to memory of 2248	2840	chrome.exe	85
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000238
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ba2cc40,0x7ffc4ba2cc4c,0x7ffc4ba2cc58
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4256,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4612,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:2
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5192,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:3524

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2796

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2828

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4716

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:928

Network

DNS

234.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.179.250.142.in-addr.arpa

IN PTR

Response

234.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f101e100net
DNS

clients2.google.com

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.238
DNS

33.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

33.200.250.142.in-addr.arpa

IN PTR

Response

33.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f11e100net
DNS

fonts.gstatic.com

Remote address:

8.8.8.8:53

Request

fonts.gstatic.com

IN A

Response

fonts.gstatic.com

IN A

142.250.187.195
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

osftulaaugnojl.info

Remote address:

8.8.8.8:53

Request

osftulaaugnojl.info

IN A

Response
DNS

rlpnexhvjpugir.biz

Remote address:

8.8.8.8:53

Request

rlpnexhvjpugir.biz

IN A

Response
DNS

mfdwwimynrnwjo.co.uk

Remote address:

8.8.8.8:53

Request

mfdwwimynrnwjo.co.uk

IN A

Response
DNS

bfhmokpsphocql.net

Remote address:

8.8.8.8:53

Request

bfhmokpsphocql.net

IN A

Response
DNS

pogesgwpbbdyhw.org

Remote address:

8.8.8.8:53

Request

pogesgwpbbdyhw.org

IN A

Response
DNS

imiiueawhtrmqb.com

Remote address:

8.8.8.8:53

Request

imiiueawhtrmqb.com

IN A

Response
DNS

jxpvyuuionuxfb.biz

Remote address:

8.8.8.8:53

Request

jxpvyuuionuxfb.biz

IN A

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

bg.microsoft.map.fastly.net

bg.microsoft.map.fastly.net

IN A

199.232.214.172

bg.microsoft.map.fastly.net

IN A

199.232.210.172
DNS

r.bing.com

Remote address:

8.8.8.8:53

Request

r.bing.com

IN A

Response

r.bing.com

IN CNAME

p-static.bing.trafficmanager.net

p-static.bing.trafficmanager.net

IN CNAME

r.bing.com.edgekey.net

r.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

2.18.66.89

e86303.dscx.akamaiedge.net

IN A

2.18.66.56

e86303.dscx.akamaiedge.net

IN A

2.18.66.57

e86303.dscx.akamaiedge.net

IN A

2.18.66.64

e86303.dscx.akamaiedge.net

IN A

2.18.66.75

e86303.dscx.akamaiedge.net

IN A

2.18.66.88

e86303.dscx.akamaiedge.net

IN A

2.18.66.65

e86303.dscx.akamaiedge.net

IN A

2.18.66.74

e86303.dscx.akamaiedge.net

IN A

2.18.66.49
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

wndpwhmrkpbmmb.com

Remote address:

8.8.8.8:53

Request

wndpwhmrkpbmmb.com

IN A

Response
DNS

login.live.com

Remote address:

8.8.8.8:53

Request

login.live.com

IN A

Response

login.live.com

IN CNAME

login.msa.msidentity.com

login.msa.msidentity.com

IN CNAME

www.tm.lg.prod.aadmsa.trafficmanager.net

www.tm.lg.prod.aadmsa.trafficmanager.net

IN CNAME

prdv4a.aadg.msidentity.com

prdv4a.aadg.msidentity.com

IN CNAME

www.tm.v4.a.prd.aadg.trafficmanager.net

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.67

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.71

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.69

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.4

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.64

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.23

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

20.190.159.73

www.tm.v4.a.prd.aadg.trafficmanager.net

IN A

40.126.31.71
DNS

yjbpvxhtlaqptm.biz

Remote address:

8.8.8.8:53

Request

yjbpvxhtlaqptm.biz

IN A

Response
DNS

lnhfoggflknadl.ru

Remote address:

8.8.8.8:53

Request

lnhfoggflknadl.ru

IN A

Response
DNS

lnhfoggflknadl.ru

Remote address:

8.8.8.8:53

Request

lnhfoggflknadl.ru

IN A

Response
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CK2KywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNva-rsGIjBhOxhXURDIhYgf8gsDH4Umzzgir5VzFtTp2dCgBqpMpb1Y26M1dYEK6xgX0NfcegIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNva-rsGIjBhOxhXURDIhYgf8gsDH4Umzzgir5VzFtTp2dCgBqpMpb1Y26M1dYEK6xgX0NfcegIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGNva-rsGIjA7iqAI9Z_-L87krp7ROc3C7_1P5sw9wn4GkJagrq7woxstC-Wj_-Kg0qDo3AGJaAEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

142.250.187.196:443

Request

GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGNva-rsGIjA7iqAI9Z_-L87krp7ROc3C7_1P5sw9wn4GkJagrq7woxstC-Wj_-Kg0qDo3AGJaAEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
x-client-data: CK2KywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D93%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D93%2526e%253D1

chrome.exe

Remote address:

142.250.187.238:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D93%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D93%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=dmlKUPEe0eg2pB5Fsa9laD8sI3unfMe_WW72g3u4QOFgnQ2rWu2SwP49hrkdzzS0Et7fwoKiu3QLOg_5WrDLr8R1wLD1d8Snbn-MSph8VE1JL82pF8WAWQX7SSvVBnRao-FFsABE8KCPQ_Cv_gQ0xV1aMT5v_DpS6e4LFAai36RfHbwbMJSHxDusE9Y_EL3l-dM
GET

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

chrome.exe

Remote address:

142.250.200.33:443

Request

GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

89.66.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.66.18.2.in-addr.arpa

IN PTR

Response

89.66.18.2.in-addr.arpa

IN PTR

a2-18-66-89deploystaticakamaitechnologiescom
DNS

lsoioqaaampmel.co.uk

Remote address:

8.8.8.8:53

Request

lsoioqaaampmel.co.uk

IN A

Response
DNS

lyaunplgcgtjte.net

Remote address:

8.8.8.8:53

Request

lyaunplgcgtjte.net

IN A

Response
DNS

browser.pipe.aria.microsoft.com

Remote address:

8.8.8.8:53

Request

browser.pipe.aria.microsoft.com

IN A

Response

browser.pipe.aria.microsoft.com

IN CNAME

browser.events.data.trafficmanager.net

browser.events.data.trafficmanager.net

IN CNAME

onedscolprdeus18.eastus.cloudapp.azure.com

onedscolprdeus18.eastus.cloudapp.azure.com

IN A

20.42.73.30
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

30.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.73.42.20.in-addr.arpa

IN PTR

Response
DNS

fp.msedge.net

Remote address:

8.8.8.8:53

Request

fp.msedge.net

IN A

Response

fp.msedge.net

IN CNAME

1.perf.msedge.net

1.perf.msedge.net

IN CNAME

a-0019.a-msedge.net

a-0019.a-msedge.net

IN CNAME

a-0019.a.dns.azurefd.net

a-0019.a.dns.azurefd.net

IN CNAME

a-0019.standard.a-msedge.net

a-0019.standard.a-msedge.net

IN A

204.79.197.222
DNS

www.bing.com

Remote address:

8.8.8.8:53

Request

www.bing.com

IN A

Response

www.bing.com

IN CNAME

www-www.bing.com.trafficmanager.net

www-www.bing.com.trafficmanager.net

IN CNAME

www.bing.com.edgekey.net

www.bing.com.edgekey.net

IN CNAME

e86303.dscx.akamaiedge.net

e86303.dscx.akamaiedge.net

IN A

2.18.66.177

e86303.dscx.akamaiedge.net

IN A

2.18.66.163

e86303.dscx.akamaiedge.net

IN A

2.18.66.88

e86303.dscx.akamaiedge.net

IN A

2.18.66.89

e86303.dscx.akamaiedge.net

IN A

2.18.66.64

e86303.dscx.akamaiedge.net

IN A

2.18.66.162

e86303.dscx.akamaiedge.net

IN A

2.18.66.75

e86303.dscx.akamaiedge.net

IN A

2.18.66.74

e86303.dscx.akamaiedge.net

IN A

2.18.66.65
DNS

yxiawocsuekgty.org

Remote address:

8.8.8.8:53

Request

yxiawocsuekgty.org

IN A

Response
DNS

btgavfwuvoajtl.info

Remote address:

8.8.8.8:53

Request

btgavfwuvoajtl.info

IN A

Response
DNS

btgavfwuvoajtl.info

Remote address:

8.8.8.8:53

Request

btgavfwuvoajtl.info

IN A

Response
DNS

222.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.197.79.204.in-addr.arpa

IN PTR

Response
DNS

njffnwbhmuddtk.co.uk

Remote address:

8.8.8.8:53

Request

njffnwbhmuddtk.co.uk

IN A

Response
DNS

rvkeyjviacytyc.com

Remote address:

8.8.8.8:53

Request

rvkeyjviacytyc.com

IN A

Response
DNS

srltsrpnjbyixh.net

Remote address:

8.8.8.8:53

Request

srltsrpnjbyixh.net

IN A

Response
DNS

triexaqkbmowwl.biz

Remote address:

8.8.8.8:53

Request

triexaqkbmowwl.biz

IN A

Response
DNS

triexaqkbmowwl.biz

Remote address:

8.8.8.8:53

Request

triexaqkbmowwl.biz

IN A

Response
DNS

unjtrikpklolfh.ru

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

unjtrikpklolfh.ru

IN A

Response
DNS

unjtrikpklolfh.ru

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

unjtrikpklolfh.ru

IN A

Response
DNS

tgpoyqljkqinun.org

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

tgpoyqljkqinun.org

IN A

Response
DNS

26.35.223.20.in-addr.arpa

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

vcnoxhgllbxqlx.info

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

vcnoxhgllbxqlx.info

IN A

Response
DNS

vcnoxhgllbxqlx.info

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

vcnoxhgllbxqlx.info

IN A

Response
DNS

ieauxvtjwogbny.org

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

ieauxvtjwogbny.org

IN A

Response
DNS

xlgijnlcwskqwm.co.uk

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

xlgijnlcwskqwm.co.uk

IN A

Response
DNS

lvhdrsxjfrsfwk.info

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

lvhdrsxjfrsfwk.info

IN A

Response
DNS

nexusrules.officeapps.live.com

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.48
DNS

ykeffxyedyipev.com

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

ykeffxyedyipev.com

IN A

Response
DNS

48.229.111.52.in-addr.arpa

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

mufandlllxqeud.net

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

mufandlllxqeud.net

IN A

Response
DNS

cnjmeqyphpgjwp.biz

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

cnjmeqyphpgjwp.biz

IN A

Response
DNS

cxcs.microsoft.net

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

cxcs.microsoft.net

IN A

Response

cxcs.microsoft.net

IN CNAME

cxcs.microsoft.net.edgekey.net

cxcs.microsoft.net.edgekey.net

IN CNAME

e3230.b.akamaiedge.net

e3230.b.akamaiedge.net

IN A

23.218.72.229
DNS

djkcxvjrptupff.ru

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

djkcxvjrptupff.ru

IN A

Response
DNS

229.72.218.23.in-addr.arpa

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

229.72.218.23.in-addr.arpa

IN PTR

Response

229.72.218.23.in-addr.arpa

IN PTR

a23-218-72-229deploystaticakamaitechnologiescom
DNS

eiiytgwtvasovn.co.uk

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

eiiytgwtvasovn.co.uk

IN A

Response
DNS

haphndbtedfste.com

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

haphndbtedfste.com

IN A

Response
DNS

hdmopietcfolsq.net

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

hdmopietcfolsq.net

IN A

Response
DNS

iynejnovkjdrrl.biz

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

iynejnovkjdrrl.biz

IN A

Response
DNS

edbvtckpekqayl.ru

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

edbvtckpekqayl.ru

IN A

Response
DNS

edbvtckpekqayl.ru

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

edbvtckpekqayl.ru

IN A

Response
DNS

rncqckgdnengpg.org

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

rncqckgdnengpg.org

IN A

Response
DNS

gyyvsmxxikompw.co.uk

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

gyyvsmxxikompw.co.uk

IN A

Response
DNS

tjaqbutlrelspf.info

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

tjaqbutlrelspf.info

IN A

Response
DNS

itgbjjcrstbdyb.com

{34184A33-0407-212E-3320-09040709E2C2}.exe

Remote address:

8.8.8.8:53

Request

itgbjjcrstbdyb.com

IN A

Response

142.250.187.196:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGNva-rsGIjA7iqAI9Z_-L87krp7ROc3C7_1P5sw9wn4GkJagrq7woxstC-Wj_-Kg0qDo3AGJaAEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

3.2kB
17.1kB
33
36

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNva-rsGIjBhOxhXURDIhYgf8gsDH4Umzzgir5VzFtTp2dCgBqpMpb1Y26M1dYEK6xgX0NfcegIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGNva-rsGIjA7iqAI9Z_-L87krp7ROc3C7_1P5sw9wn4GkJagrq7woxstC-Wj_-Kg0qDo3AGJaAEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
184.164.136.134:80

{34184A33-0407-212E-3320-09040709E2C2}.exe

260 B
5
142.250.187.238:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D93%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D93%2526e%253D1

tls, http2

chrome.exe

2.2kB
9.7kB
14
17

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D93%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D93%2526e%253D1
142.250.200.33:443

https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx

tls, http2

chrome.exe

5.0kB
173.2kB
82
130

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx
2.18.66.177:443

www.bing.com

tls

9.8kB
88.4kB
92
84
2.18.66.89:443

r.bing.com

tls

1.2kB
5.3kB
17
15
2.18.66.89:443

r.bing.com

tls

1.2kB
5.3kB
17
15
2.18.66.89:443

r.bing.com

tls

1.2kB
5.3kB
17
15
2.18.66.89:443

r.bing.com

tls

1.2kB
5.3kB
17
15
2.18.66.89:443

r.bing.com

tls

75.6kB
1.9MB
1423
1378
2.18.66.89:443

r.bing.com

tls

1.2kB
5.3kB
17
15
20.42.73.30:443

browser.pipe.aria.microsoft.com

tls

3.2kB
7.6kB
19
14
2.18.66.177:443

www.bing.com

tls

BackgroundTransferHost.exe

21.7kB
593.0kB
439
434
13.107.246.254:443

t-ring-s.msedge.net

tls

799 B
7.6kB
11
10
23.218.72.229:443

cxcs.microsoft.net

tls

1.4kB
7.5kB
18
16
104.86.110.97:443

www.bing.com

tls

2.1kB
6.6kB
19
13

8.8.8.8:53

234.179.250.142.in-addr.arpa

dns

1.3kB
3.0kB
20
20

DNS Request

234.179.250.142.in-addr.arpa

DNS Request

clients2.google.com

DNS Response

142.250.187.238

DNS Request

33.200.250.142.in-addr.arpa

DNS Request

fonts.gstatic.com

DNS Response

142.250.187.195

DNS Request

195.187.250.142.in-addr.arpa

DNS Request

osftulaaugnojl.info

DNS Request

rlpnexhvjpugir.biz

DNS Request

mfdwwimynrnwjo.co.uk

DNS Request

bfhmokpsphocql.net

DNS Request

pogesgwpbbdyhw.org

DNS Request

imiiueawhtrmqb.com

DNS Request

jxpvyuuionuxfb.biz

DNS Request

ctldl.windowsupdate.com

DNS Response

199.232.214.172

199.232.210.172

DNS Request

r.bing.com

DNS Response

2.18.66.89

2.18.66.56

2.18.66.57

2.18.66.64

2.18.66.75

2.18.66.88

2.18.66.65

2.18.66.74

2.18.66.49

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

wndpwhmrkpbmmb.com

DNS Request

login.live.com

DNS Response

40.126.31.67

20.190.159.71

40.126.31.69

20.190.159.4

20.190.159.64

20.190.159.23

20.190.159.73

40.126.31.71

DNS Request

yjbpvxhtlaqptm.biz

DNS Request

lnhfoggflknadl.ru

DNS Request

lnhfoggflknadl.ru
142.250.187.196:443

www.google.com

https

chrome.exe

72.2kB
435.2kB
178
398
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

89.66.18.2.in-addr.arpa

dns

728 B
1.9kB
11
11

DNS Request

89.66.18.2.in-addr.arpa

DNS Request

lsoioqaaampmel.co.uk

DNS Request

lyaunplgcgtjte.net

DNS Request

browser.pipe.aria.microsoft.com

DNS Response

20.42.73.30

DNS Request

67.31.126.40.in-addr.arpa

DNS Request

30.73.42.20.in-addr.arpa

DNS Request

fp.msedge.net

DNS Response

204.79.197.222

DNS Request

www.bing.com

DNS Response

2.18.66.177

2.18.66.163

2.18.66.88

2.18.66.89

2.18.66.64

2.18.66.162

2.18.66.75

2.18.66.74

2.18.66.65

DNS Request

yxiawocsuekgty.org

DNS Request

btgavfwuvoajtl.info

DNS Request

btgavfwuvoajtl.info
8.8.8.8:53

222.197.79.204.in-addr.arpa

dns

395 B
803 B
6
6

DNS Request

222.197.79.204.in-addr.arpa

DNS Request

njffnwbhmuddtk.co.uk

DNS Request

rvkeyjviacytyc.com

DNS Request

srltsrpnjbyixh.net

DNS Request

triexaqkbmowwl.biz

DNS Request

triexaqkbmowwl.biz
8.8.8.8:53

unjtrikpklolfh.ru

dns

{34184A33-0407-212E-3320-09040709E2C2}.exe

126 B
187 B
2
2

DNS Request

unjtrikpklolfh.ru

DNS Request

unjtrikpklolfh.ru
8.8.8.8:53

tgpoyqljkqinun.org

dns

{34184A33-0407-212E-3320-09040709E2C2}.exe

265 B
591 B
4
4

DNS Request

tgpoyqljkqinun.org

DNS Request

26.35.223.20.in-addr.arpa

DNS Request

vcnoxhgllbxqlx.info

DNS Request

vcnoxhgllbxqlx.info
8.8.8.8:53

ieauxvtjwogbny.org

dns

{34184A33-0407-212E-3320-09040709E2C2}.exe

1.1kB
2.3kB
17
17

DNS Request

ieauxvtjwogbny.org

DNS Request

xlgijnlcwskqwm.co.uk

DNS Request

lvhdrsxjfrsfwk.info

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.48

DNS Request

ykeffxyedyipev.com

DNS Request

48.229.111.52.in-addr.arpa

DNS Request

mufandlllxqeud.net

DNS Request

cnjmeqyphpgjwp.biz

DNS Request

cxcs.microsoft.net

DNS Response

23.218.72.229

DNS Request

djkcxvjrptupff.ru

DNS Request

229.72.218.23.in-addr.arpa

DNS Request

eiiytgwtvasovn.co.uk

DNS Request

haphndbtedfste.com

DNS Request

hdmopietcfolsq.net

DNS Request

iynejnovkjdrrl.biz

DNS Request

edbvtckpekqayl.ru

DNS Request

edbvtckpekqayl.ru
8.8.8.8:53

rncqckgdnengpg.org

dns

{34184A33-0407-212E-3320-09040709E2C2}.exe

259 B
561 B
4
4

DNS Request

rncqckgdnengpg.org

DNS Request

gyyvsmxxikompw.co.uk

DNS Request

tjaqbutlrelspf.info

DNS Request

itgbjjcrstbdyb.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6c6c45078744dd2c986b84d0ede5386a

SHA1
cb15bf663a09d02429f96bd627fdb08552b92c12

SHA256
5271ac7d69b74553a440e63adac77db3724ef9540a992fab48d001bfbe379d68

SHA512
cd38804785acd7eb46020236391032ec6ea548f110a7a43631ba52e8cfab65fd1be29bb891f866a2755992a33bed7196ca78e739d61d4ec41b443d1fdb30545b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
758b28afd1800135ad22288a20522b87

SHA1
b0a0adc504f122fdf3c1315214a9699aaf2c0828

SHA256
1ac677393e410f0af1a5592e2dad24ba2991142a96e611c624434b298eee90fe

SHA512
fd7388366cc5b7c4f39f12287cc748d8ef337d097b91ca91490b4257bc846e062970cab2d3037084971eec0e7281a2dd54a4cb67f2b16847882cfd2b0b82cc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\468c7054-fa39-4d8a-9b21-70ed25efe134.tmp

Filesize
2KB

MD5
dd79b74453975eaef948ed10f8ea98d3

SHA1
36166b611db3a96ed46925034bf076f9214422f6

SHA256
0f488164c38348c00de3f3f102ff17baee0a0655981c5ef0ac8ae0b00b6856e4

SHA512
a254a63690b65df73c086e6ccc89fe723d3b5b04005370ef60694e3489aa4090e8e8b72b24ad87c1250a1592c2b67f45956b2cf8e5d534a7230c288dbdc055ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7136b075370349a1874402f20c0aad39

SHA1
a2ff548fd7cb8514281d88ea64427880dea6df8c

SHA256
42d27a25f968f779c57edc0bd38afc2dbb544d4f9ac5474faa79459ed3f7b09e

SHA512
bc9a0adf3f260458951574ccf5dfe6a87d9e6d35b3f3e239b6ee89693c77d20f7f8bc13685b816445d677adb84b58639b94298dd0fd259aebf00889b328832f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0c9034548c66d2f0d3de53dd1b1d303

SHA1
8e72db371a638235625d85918d1e50937aea2f43

SHA256
5a018324ef3af1106a8326f8541540c878fda537b46f285224f10e76ff96ecbd

SHA512
3df38e0dc69fe00ee0f07718b3e0dbaf318ec006858a48e06cca5bbfc23b1ef68f333cb4f0ce5a8d98ecdb4cf5c0f574685d04b0afa394b988c9e80739f20e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfb818a91dd7f26b2001769fae98e32c

SHA1
fee8ee9344a5b326e4c4dcda8574818eb24652ef

SHA256
045d8cf59ad52d1f0fd48313eb074901f6cf609bdcf5941abe285a54f45ba0a4

SHA512
5ddd3d42fa177c5a89bcac470a0f552ed32e8b616f59d7de2d772544ab3af235f10490cefcc3152313e0b8302334916ea60fffffa8aec383e963c471e9dcb0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
862fb253b2c189a529bd2539e026b679

SHA1
ec227beba468247fca022fa94c4272f2b91658bb

SHA256
88410880e61813dc511cb7124a82589762713f9e023245713d814795593c0dad

SHA512
2e70eca2e18d8a28d4a76659b69344f30c8ed1fcc13dac9de2c6f7afe5b0b5685ddc418c3990fba613a75bac97a8ceb5e647ab51864ebefe63b20b3e39feeea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
237288bfbe8c4fb2f70d691d890484cb

SHA1
e97b9a3ab2805ebf5edbf31369c6f6e0b7cfbd47

SHA256
d96c16b8aff93a6d9c494640f4d079267459dfaae4bfe500a4ed69c610b83270

SHA512
eab5daee942612b698658caff9da250b69f3eabe350272648324c93391a17a5fe72789f00beaa07e8cb88c5b9337fdc40c2365278f36d992ec998361f2e28408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a95289eb691fbfecb0a828de1323969a

SHA1
24f46f84517ebbc488e36112df8e6b23f41639f0

SHA256
cc99b0496b9049fc0b4a7060766a7fe479ee80ba0c96ddf37457c61bcb877713

SHA512
5059456874c303ded8be9d01287bc0ed6f7c39adab5ed7a40f127440c2d4850417c596c80cfa9798907e81d5d9f2e8c4d119d79377960b426562b5609d4ac1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
d4631a335e9ca1aed51b03470fb2b2c5

SHA1
2bf7e8ce8b2ce8bf84a9f136f3c3e868dcf88dbd

SHA256
71be53a99adad818a6fc16e2338a0396f8b4ba04197a15d0b847546cce0656f8

SHA512
9822556b1954368fd51002f8a0c64be774be7a55278b81edd0d9c113c7c902b3a7d7c6947460c0f21901f790a971c9e5495ed4fc395988712f1ccf8fa96b3bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
5e50e8dfe61df5ba8f315667b7f5b458

SHA1
2170657452ae169d7c3857faad8ae6e50c1f5ad2

SHA256
2374bdab4d345809c3320c7d7db775968333cb3d2323c7500fee793b0bc5635a

SHA512
28ab154180fd759f8980ac13af78023cdf58df6f8d48b63224e0d447557d432828bd20978f62e626924315ec77f5d3ce8585757a3f0b8409a1d6a25edb26847e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
16856f8fcb1f57a1234bd4a31c044817

SHA1
2b98a873768e1889643f5dc3f2cf7a286d2e3be8

SHA256
9da727ebf79a8ee7086e7bac5b97db682546127534691c3e357f61fac86e0067

SHA512
8d968d978bc28b431632d8dcfdf36daaaafc69d67f038ce86ca70bd40206fc1125d87c75067cfd7c3ecad89d21dc7e2e794c9777b7f9f53f73366b1c1ba389a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
d19ba24cd24f9f41cfd5ebdf56064c0b

SHA1
bd612e06979cf8712a51f77b71b09b3fba0538fc

SHA256
66b9b9b445ee17260dcbe40e41529ea0c3dc25d3522f9f9bd8c616fa1b5b1761

SHA512
eb562bec94aa4308a45eabd65b0df300dae52fcc1722193ce923a70ad3926a222f6e676fe07cbe166b3c0d3f131c7927afc9d1b9a20f80a71f7c5918a88f791c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8377b4f69f1304e68299b7826bb95cc6

SHA1
0f9288475f7e8a89ac9007f231ea3079276b305b

SHA256
4b3a8d93bdc5dfb7f9ca186bf01af23a2e5b9850436dc68bfc0721c9cac177b9

SHA512
80ed00c9118ed1582c19e36fb06f6df2ef66978d6f8e59f157629257d62414f8dac25e016016215df6843debe3022694b1bde700e7733e3f9859a41c0045b379

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d9ac3d75-2242-422b-82e0-3c5685b6b160.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2840_362253736\46571982-c899-4249-a95b-fa51a66dc90f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2840_362253736\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request