ammyyadmin | 32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e

Analysis

max time kernel
174s
max time network
199s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 22:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
Size

476KB
MD5

76f37b780edf118a0364fab327167a0c
SHA1

78dbbff57068378e4709afea5ba35561eb157ef5
SHA256

32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e
SHA512

f677065ad4a920fbd819dae3eff010f35b794ac3d2f2031acbad8162fa4cb9d398420ba5d665b4260f0a17832d149e617d097be5c4986ea7a31a33fd3878b7b3
SSDEEP

12288:y5QaO7SIsbbv4/lDv0zMrcoZPPPKW1ICFBCGw:ravv4tDKMrVPKsIkCGw

Score

10^/10

ammyyadmin flawedammyy rhadamanthys smokeloader backdoor bootkit collection persistence rat stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

1
0x4b4ad520

rc4.i32

1
0x6eefbfb0

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015c7f-169.dat	family_ammyyadmin
behavioral1/files/0x0008000000015c7f-171.dat	family_ammyyadmin
behavioral1/files/0x0008000000015c7f-175.dat	family_ammyyadmin
behavioral1/files/0x0008000000015c7f-174.dat	family_ammyyadmin
behavioral1/files/0x0008000000015c7f-180.dat	family_ammyyadmin

Detect rhadamanthys stealer shellcode 7 IoCs

resource	yara_rule
behavioral1/memory/2632-18-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-19-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-20-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-21-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-31-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-33-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys
behavioral1/memory/2632-35-0x0000000002190000-0x0000000002590000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2632 created 1232	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	11

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

pid	Process
2532	certreq.exe

Executes dropped EXE 14 IoCs

pid	Process
2884	S~R3i6xrB.exe
1492	S~R3i6xrB.exe
820	S~R3i6xrB.exe
1448	S~R3i6xrB.exe
1688	S~R3i6xrB.exe
2468	B8b~X1zi.exe
1600	S~R3i6xrB.exe
644	S~R3i6xrB.exe
608	S~R3i6xrB.exe
1064	S~R3i6xrB.exe
2760	S~R3i6xrB.exe
2756	S~R3i6xrB.exe
1596	B8b~X1zi.exe
592	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
780	explorer.exe
780	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2468 set thread context of 1596	2468	B8b~X1zi.exe	46

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B8b~X1zi.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B8b~X1zi.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B8b~X1zi.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
2532	certreq.exe
2532	certreq.exe
2532	certreq.exe
2532	certreq.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
2884	S~R3i6xrB.exe
1596	B8b~X1zi.exe
1596	B8b~X1zi.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

pid	Process
1596	B8b~X1zi.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
780	explorer.exe
780	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
Token: SeDebugPrivilege	2884	S~R3i6xrB.exe
Token: SeDebugPrivilege	2468	B8b~X1zi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
592	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2952	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	29
PID 2792 wrote to memory of 2952	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	29
PID 2792 wrote to memory of 2952	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	29
PID 2792 wrote to memory of 2952	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	29
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2792 wrote to memory of 2632	2792	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	30
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2632 wrote to memory of 2532	2632	32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe	32
PID 2884 wrote to memory of 1492	2884	S~R3i6xrB.exe	35
PID 2884 wrote to memory of 1492	2884	S~R3i6xrB.exe	35
PID 2884 wrote to memory of 1492	2884	S~R3i6xrB.exe	35
PID 2884 wrote to memory of 1492	2884	S~R3i6xrB.exe	35
PID 2884 wrote to memory of 820	2884	S~R3i6xrB.exe	36
PID 2884 wrote to memory of 820	2884	S~R3i6xrB.exe	36
PID 2884 wrote to memory of 820	2884	S~R3i6xrB.exe	36
PID 2884 wrote to memory of 820	2884	S~R3i6xrB.exe	36
PID 2884 wrote to memory of 1448	2884	S~R3i6xrB.exe	37
PID 2884 wrote to memory of 1448	2884	S~R3i6xrB.exe	37
PID 2884 wrote to memory of 1448	2884	S~R3i6xrB.exe	37
PID 2884 wrote to memory of 1448	2884	S~R3i6xrB.exe	37
PID 2884 wrote to memory of 1688	2884	S~R3i6xrB.exe	44
PID 2884 wrote to memory of 1688	2884	S~R3i6xrB.exe	44
PID 2884 wrote to memory of 1688	2884	S~R3i6xrB.exe	44
PID 2884 wrote to memory of 1688	2884	S~R3i6xrB.exe	44
PID 2884 wrote to memory of 644	2884	S~R3i6xrB.exe	43
PID 2884 wrote to memory of 644	2884	S~R3i6xrB.exe	43
PID 2884 wrote to memory of 644	2884	S~R3i6xrB.exe	43
PID 2884 wrote to memory of 644	2884	S~R3i6xrB.exe	43
PID 2884 wrote to memory of 1600	2884	S~R3i6xrB.exe	42
PID 2884 wrote to memory of 1600	2884	S~R3i6xrB.exe	42
PID 2884 wrote to memory of 1600	2884	S~R3i6xrB.exe	42
PID 2884 wrote to memory of 1600	2884	S~R3i6xrB.exe	42
PID 2884 wrote to memory of 1064	2884	S~R3i6xrB.exe	41
PID 2884 wrote to memory of 1064	2884	S~R3i6xrB.exe	41
PID 2884 wrote to memory of 1064	2884	S~R3i6xrB.exe	41
PID 2884 wrote to memory of 1064	2884	S~R3i6xrB.exe	41
PID 2884 wrote to memory of 608	2884	S~R3i6xrB.exe	40
PID 2884 wrote to memory of 608	2884	S~R3i6xrB.exe	40
PID 2884 wrote to memory of 608	2884	S~R3i6xrB.exe	40
PID 2884 wrote to memory of 608	2884	S~R3i6xrB.exe	40
PID 2884 wrote to memory of 2756	2884	S~R3i6xrB.exe	39
PID 2884 wrote to memory of 2756	2884	S~R3i6xrB.exe	39
PID 2884 wrote to memory of 2756	2884	S~R3i6xrB.exe	39
PID 2884 wrote to memory of 2756	2884	S~R3i6xrB.exe	39
PID 2884 wrote to memory of 2760	2884	S~R3i6xrB.exe	38
PID 2884 wrote to memory of 2760	2884	S~R3i6xrB.exe	38
PID 2884 wrote to memory of 2760	2884	S~R3i6xrB.exe	38
PID 2884 wrote to memory of 2760	2884	S~R3i6xrB.exe	38
PID 2468 wrote to memory of 1596	2468	B8b~X1zi.exe	46
PID 2468 wrote to memory of 1596	2468	B8b~X1zi.exe	46
PID 2468 wrote to memory of 1596	2468	B8b~X1zi.exe	46
PID 2468 wrote to memory of 1596	2468	B8b~X1zi.exe	46
PID 2468 wrote to memory of 1596	2468	B8b~X1zi.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
PID:1232
- C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
    C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
    3⤵
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
    C:\Users\Admin\AppData\Local\Temp\32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2632
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:456
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2064
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1460
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2960
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1660
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1796
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1496
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2364
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1128
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1788
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1720
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1388
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1320
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:748
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    PID:592
  - - C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1936

C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
"C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:608
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe
  2⤵
  - Executes dropped EXE
  PID:1688

C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe
"C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe
  C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1596

Network

DNS

amxt25.xyz

certreq.exe

Remote address:

8.8.8.8:53

Request

amxt25.xyz

IN A

Response

amxt25.xyz

IN A

45.131.66.61
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.70
If-Match: "UWGdRiDGkIRnVdqfST/O/DmufYXCQh97+HurFNvX+mMHeXMaOrNOHWhMFxTeLRzud2CTmUR6bBaGj+BmY2vwJQBlbi1VUw=="
Connection: close

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:43:47 GMT
Content-Type: audio/wav
Content-Length: 1889958
Connection: close
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

certreq.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Upgrade: websocket
Connection: upgrade
Sec-Websocket-Version: 13
Sec-Websocket-Key: lAzzhlT3Moiprsu

Response

HTTP/1.1 101 Switching Protocols

Server: nginx
Date: Tue, 17 Oct 2023 16:44:09 GMT
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: S9V5njINUEsczZhBBYwGRc/Tabo=
GET

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

certreq.exe

Remote address:

45.131.66.61:80

Request

GET /a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd HTTP/1.1
Host: amxt25.xyz
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Upgrade: websocket
Connection: upgrade
Sec-Websocket-Version: 13
Sec-Websocket-Key: 4ZSGQfp0oqNfCaf

Response

HTTP/1.1 101 Switching Protocols

Server: nginx
Date: Tue, 17 Oct 2023 16:44:16 GMT
Connection: upgrade
Upgrade: websocket
Sec-WebSocket-Accept: V3e/h61v2bXZHsTioxKshRyrPB4=
DNS

servermlogs27.xyz

svchost.exe

Remote address:

8.8.8.8:53

Request

servermlogs27.xyz

IN A

Response

servermlogs27.xyz

IN A

45.131.66.120
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jagfceqxilvnsxvp.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 333
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:44:56 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ndhihgwhrqsrlg.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 242
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:44:56 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://odkyvomhwjovnrc.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 294
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:45:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nnqthhksqfivk.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 124
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://msyhgfibsbyoikpo.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://gjkuquhubhqv.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 351
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hryjnepturnvcis.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 181
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uqvtlpuntsdm.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 157
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ctqkxmxcrjp.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 133
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dwfijxpflwrh.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 121
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://cyfbgyqmvka.org/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nbwvmxkuwddasug.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 205
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

http://servermlogs27.xyz/statweb255/

Explorer.EXE

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://qivouhgclujdvdke.net/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 194
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:45:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

zentrem39.xyz

Explorer.EXE

Remote address:

8.8.8.8:53

Request

zentrem39.xyz

IN A

Response

zentrem39.xyz

IN A

91.200.102.182
POST

http://servermlogs27.xyz/statweb255/

explorer.exe

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://servermlogs27.xyz/statweb255/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 79
Host: servermlogs27.xyz

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 17 Oct 2023 16:45:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

rl.ammyy.com

svchost.exe

Remote address:

8.8.8.8:53

Request

rl.ammyy.com

IN A

Response

rl.ammyy.com

IN A

188.42.129.148
POST

http://rl.ammyy.com/

svchost.exe

Remote address:

188.42.129.148:80

Request

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: rl.ammyy.com
Content-Length: 252
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 17 Oct 2023 16:45:58 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Content-Length: 248
Content-Type: text/html
POST

http://servermlogs27.xyz/statweb255/

svchost.exe

Remote address:

45.131.66.120:80

Request

POST /statweb255/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://servermlogs27.xyz/statweb255/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 105
Host: servermlogs27.xyz

Response

HTTP/1.1 404 Not Found

Server: nginx
Date: Tue, 17 Oct 2023 16:45:58 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

www.ammyy.com

svchost.exe

Remote address:

8.8.8.8:53

Request

www.ammyy.com

IN A

Response

www.ammyy.com

IN A

136.243.18.118
GET

http://www.ammyy.com/files/v8/aans64y2.gz

svchost.exe

Remote address:

136.243.18.118:80

Request

GET /files/v8/aans64y2.gz HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Range: bytes=0-
Accept-Encoding: gzip, deflate
Host: www.ammyy.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 17 Oct 2023 16:46:00 GMT
Server: Apache/2.4.6 (CentOS)
Location: https://www.ammyy.com/files/v8/aans64y2.gz
Content-Length: 328
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET

https://www.ammyy.com/files/v8/aans64y2.gz

svchost.exe

Remote address:

136.243.18.118:443

Request

GET /files/v8/aans64y2.gz HTTP/1.1
Connection: Keep-Alive
Range: bytes=0-
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Host: www.ammyy.com

Response

HTTP/1.1 206 Partial Content

Date: Tue, 17 Oct 2023 16:46:01 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Sun, 05 Dec 2021 20:54:18 GMT
ETag: "509a4-5d26c580371d1"
Accept-Ranges: bytes
Content-Length: 330148
Content-Range: bytes 0-330147/330148
Connection: close
Content-Type: application/x-gzip
DNS

apps.identrust.com

svchost.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

88.221.25.153

a1952.dscq.akamai.net

IN A

88.221.25.169
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

svchost.exe

Remote address:

88.221.25.153:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Tue, 17 Oct 2023 17:46:01 GMT
Date: Tue, 17 Oct 2023 16:46:01 GMT
Connection: keep-alive

45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

32c9c069c7fe9ffdd9086b957e45c03993863730cd1eed4815e226dc1b7b436e_JC.exe

35.4kB
1.9MB
742
1395

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

200
45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

certreq.exe

7.4kB
2.0kB
19
19

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

101
45.131.66.61:80

http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

http

certreq.exe

13.0kB
651.9kB
265
492

HTTP Request

GET http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd

HTTP Response

101
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

Explorer.EXE

16.2kB
471.0kB
210
365

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404
91.200.102.182:80

zentrem39.xyz

Explorer.EXE

152 B
3
91.200.102.182:80

zentrem39.xyz

Explorer.EXE

152 B
3
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

explorer.exe

11.3kB
444.7kB
209
322

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

200
188.42.129.148:80

http://rl.ammyy.com/

http

svchost.exe

570 B
516 B
4
3

HTTP Request

POST http://rl.ammyy.com/

HTTP Response

200
136.243.104.242:443

https

svchost.exe

272 B
176 B
5
4
45.131.66.120:80

http://servermlogs27.xyz/statweb255/

http

svchost.exe

674 B
1.3kB
5
5

HTTP Request

POST http://servermlogs27.xyz/statweb255/

HTTP Response

404
136.243.18.118:80

http://www.ammyy.com/files/v8/aans64y2.gz

http

svchost.exe

412 B
781 B
5
5

HTTP Request

GET http://www.ammyy.com/files/v8/aans64y2.gz

HTTP Response

301
136.243.18.118:443

https://www.ammyy.com/files/v8/aans64y2.gz

tls, http

svchost.exe

1.7kB
57.7kB
21
45

HTTP Request

GET https://www.ammyy.com/files/v8/aans64y2.gz

HTTP Response

206
88.221.25.153:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

svchost.exe

323 B
1.6kB
4
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200

8.8.8.8:53

amxt25.xyz

dns

certreq.exe

56 B
72 B
1
1

DNS Request

amxt25.xyz

DNS Response

45.131.66.61
8.8.8.8:53

servermlogs27.xyz

dns

svchost.exe

63 B
79 B
1
1

DNS Request

servermlogs27.xyz

DNS Response

45.131.66.120
8.8.8.8:53

zentrem39.xyz

dns

Explorer.EXE

59 B
75 B
1
1

DNS Request

zentrem39.xyz

DNS Response

91.200.102.182
8.8.8.8:53

rl.ammyy.com

dns

svchost.exe

58 B
74 B
1
1

DNS Request

rl.ammyy.com

DNS Response

188.42.129.148
8.8.8.8:53

www.ammyy.com

dns

svchost.exe

59 B
75 B
1
1

DNS Request

www.ammyy.com

DNS Response

136.243.18.118
8.8.8.8:53

apps.identrust.com

dns

svchost.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

88.221.25.153

88.221.25.169

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76fdc8abdcb0d2c3955bc57f1b2b1c9f

SHA1
fd330491e2b28ec3670b466e8aa9e3f26bcd9a58

SHA256
cb870d041edc489a4d9c6219870c4b0fc747df4fc8e91d008ccbf1c17d220455

SHA512
10aea0682f7106d87c82d820904e5734dbe37971bc60dee974c6cbcff50689e34e44cbcb997e17b007c716ea7213332e76e70e8613cb753ff1403594eede4cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\B8b~X1zi.exe

Filesize
389KB

MD5
4a97cfd7be5c68006c2e09dd71343ecd

SHA1
db5d13f2768a73eb8f72fe08575c9911b49abfc5

SHA256
5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e

SHA512
a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\S~R3i6xrB.exe

Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab24A2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2532.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
\Users\Admin\AppData\Local\Temp\1526.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
memory/456-102-0x00000000003D0000-0x0000000000445000-memory.dmp

Filesize
468KB

Download
memory/456-117-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/456-104-0x0000000000080000-0x00000000000EB000-memory.dmp

Filesize
428KB

Download
memory/592-186-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/592-176-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/748-161-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/780-163-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1128-145-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1128-143-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1128-142-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1232-91-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1320-158-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1388-154-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1388-156-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1388-157-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1460-139-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1460-122-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1460-123-0x0000000000090000-0x0000000000094000-memory.dmp

Filesize
16KB

Download
memory/1460-124-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1496-155-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1496-136-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1496-137-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1496-135-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1596-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-83-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-92-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1596-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1660-131-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1660-129-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1660-144-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1660-130-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1720-149-0x00000000000B0000-0x00000000000D1000-memory.dmp

Filesize
132KB

Download
memory/1720-150-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1720-151-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1720-148-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1788-147-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/1788-146-0x0000000000060000-0x0000000000069000-memory.dmp

Filesize
36KB

Download
memory/1796-133-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1796-134-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/1796-132-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/2064-118-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/2064-120-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2064-121-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2364-140-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2364-141-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2364-138-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2468-80-0x0000000000630000-0x0000000000674000-memory.dmp

Filesize
272KB

Download
memory/2468-82-0x00000000006C0000-0x00000000006F2000-memory.dmp

Filesize
200KB

Download
memory/2468-81-0x0000000000D50000-0x0000000000D90000-memory.dmp

Filesize
256KB

Download
memory/2468-78-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-90-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-74-0x0000000000DD0000-0x0000000000E38000-memory.dmp

Filesize
416KB

Download
memory/2532-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-53-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2532-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-37-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2532-22-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2532-23-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2532-79-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2532-77-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2532-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2532-48-0x0000000077470000-0x0000000077619000-memory.dmp

Filesize
1.7MB

Download
memory/2532-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

Filesize
1.2MB

Download
memory/2632-17-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2632-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-8-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-35-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-32-0x00000000006C0000-0x00000000006F6000-memory.dmp

Filesize
216KB

Download
memory/2632-33-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-31-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-25-0x00000000006C0000-0x00000000006F6000-memory.dmp

Filesize
216KB

Download
memory/2632-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2632-18-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-21-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-20-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2632-19-0x0000000002190000-0x0000000002590000-memory.dmp

Filesize
4.0MB

Download
memory/2792-4-0x0000000002140000-0x00000000021A8000-memory.dmp

Filesize
416KB

Download
memory/2792-3-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2792-14-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-0-0x0000000000130000-0x00000000001AE000-memory.dmp

Filesize
504KB

Download
memory/2792-2-0x0000000002050000-0x00000000020C8000-memory.dmp

Filesize
480KB

Download
memory/2792-5-0x0000000000B20000-0x0000000000B6C000-memory.dmp

Filesize
304KB

Download
memory/2884-61-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2884-62-0x00000000007E0000-0x000000000080C000-memory.dmp

Filesize
176KB

Download
memory/2884-57-0x00000000008B0000-0x00000000008F0000-memory.dmp

Filesize
256KB

Download
memory/2884-58-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-59-0x0000000000740000-0x000000000077E000-memory.dmp

Filesize
248KB

Download
memory/2884-75-0x0000000073E80000-0x000000007456E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-125-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2960-127-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/2960-128-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.