05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97 | Triage

Analysis

max time kernel
45s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 18:52 UTC

Sharing

Report Analysis Logs

General

Target

05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Size

5.9MB
MD5

64e7cd89bb30e3e4ff61954b1eaaa75c
SHA1

f8d19c2493acf007b4dcb045501ef650d4d4a6c4
SHA256

05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97
SHA512

65fa366f0d34624f12feb02e2d0b9842488db8c4b7e85207b7f1c9f213f8c22301dbfdf2e5ea63d5bdee3deeec64d979b2c732c2a13c39cb2c8aeab6e24d2b34
SSDEEP

12288:0XgvmzFHi0mo5aH0qMzd58lv7FVPJQPDHvd:0XgvOHi0mGaH0qSdaFn4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	pmwdfn.exe

UAC bypass 3 TTPs 12 IoCs

Bypass User Account Control

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pmwdfn.exe

Adds policy Run key to start application 2 TTPs 19 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "eqplczzskftmgriuxmsed.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "bictfxsgtjsgvbnu.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "bictfxsgtjsgvbnu.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wcvlwnhugvdqeju = "paytjfewnhumfpfqsglw.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\twmzhvmwfrwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe"	pmwdfn.exe

Disables RegEdit via registry modification 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	pmwdfn.exe
3880	pmwdfn.exe

Adds Run key to start application 2 TTPs 64 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "eqplczzskftmgriuxmsed.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "bictfxsgtjsgvbnu.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "cmjdsnlcslxogpeopcg.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "eqplczzskftmgriuxmsed.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "rawpdxukzrcsjrfooa.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "eqplczzskftmgriuxmsed.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "bictfxsgtjsgvbnu.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "paytjfewnhumfpfqsglw.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "paytjfewnhumfpfqsglw.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "cmjdsnlcslxogpeopcg.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqldqjfuizjyoviqp.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "cmjdsnlcslxogpeopcg.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rawpdxukzrcsjrfooa.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bictfxsgtjsgvbnu.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmjdsnlcslxogpeopcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmjdsnlcslxogpeopcg.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "paytjfewnhumfpfqsglw.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rawpdxukzrcsjrfooa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\paytjfewnhumfpfqsglw.exe ."	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "eqplczzskftmgriuxmsed.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "bictfxsgtjsgvbnu.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "cmjdsnlcslxogpeopcg.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bictfxsgtjsgvbnu = "iqldqjfuizjyoviqp.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iqldqjfuizjyoviqp = "iqldqjfuizjyoviqp.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "rawpdxukzrcsjrfooa.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmjdsnlcslxogpeopcg.exe"	pmwdfn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tyqfpfykvjqcpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqplczzskftmgriuxmsed.exe ."	pmwdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swnbkzrcmzfqc = "eqplczzskftmgriuxmsed.exe"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pmwdfn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	whatismyip.everdot.org
29	www.showmyipaddress.com
39	whatismyip.everdot.org
40	whatismyipaddress.com
49	whatismyip.everdot.org
55	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe
File opened for modification	C:\Windows\SysWOW64\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe
File created	C:\Windows\SysWOW64\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe
File opened for modification	C:\Windows\SysWOW64\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe
File created	C:\Program Files (x86)\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe
File opened for modification	C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe
File created	C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe
File created	C:\Windows\fwabxzeczzsqpfbsaufwab.zec	pmwdfn.exe
File opened for modification	C:\Windows\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe
File created	C:\Windows\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc	pmwdfn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	pmwdfn.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	pmwdfn.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4924	pmwdfn.exe
4924	pmwdfn.exe
4924	pmwdfn.exe
4924	pmwdfn.exe
4924	pmwdfn.exe
4924	pmwdfn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	pmwdfn.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4924	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	93
PID 1952 wrote to memory of 4924	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	93
PID 1952 wrote to memory of 4924	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	93
PID 1952 wrote to memory of 3880	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	94
PID 1952 wrote to memory of 3880	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	94
PID 1952 wrote to memory of 3880	1952	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe	94

System policy modification 1 TTPs 39 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pmwdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pmwdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pmwdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	pmwdfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	pmwdfn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe

C:\Users\Admin\AppData\Local\Temp\05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
"C:\Users\Admin\AppData\Local\Temp\05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952
- C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
  "C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
  "C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:3880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2820

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

126.20.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.20.238.8.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

whatismyip.everdot.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

whatismyip.everdot.org

IN A

Response
DNS

www.whatismyip.ca

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

www.whatismyip.ca

IN A

Response
DNS

www.showmyipaddress.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

www.showmyipaddress.com

IN A

Response

www.showmyipaddress.com

IN A

188.114.96.0

www.showmyipaddress.com

IN A

188.114.97.0
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:20 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:20 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BzkM9lZJPFo8k9C473xfihLxFY5rqCS8ZO4ln%2BHIZfrjnuTjNYRSOLbLJsU0pKysui4D3rYv7f9Q%2BwmrRqBII%2FnDVbZvvGhWEy3SjuNXkkj9R56bW5iUiKUkTOJYUSVyc15UCjtNEOh7oQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617db2cbab0e28-AMS
alt-svc: h3=":443"; ma=86400
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

0.96.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.96.114.188.in-addr.arpa

IN PTR

Response
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:22 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:22 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Nqy5YIelo6P3KGJga1WHgdn7kcVb2Ww5Qs7Z0Wg5SzcUdeFvD827xoTdHvIi7HAapLm%2FjGOI7BrsTjyJ%2BTOu1Mi2EQu8vyrUM7bALvdOADv%2FUhr2p2XuWtCXvem8QnAf30G328Wrg%2F5DAA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617dbfff53b908-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:23 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:23 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MNI7QwczpFSt%2FdjSHftlX5wa0Lg79fBnpgzATbTKFidiymfqz55YODAMbhWvcQTX9lGScbCq6txqFzg87qxFkLNzPm59gL8hwrrJ8555vaEuoK7yzD98HIICuSNFMKUHsTiesRuF3FFIzA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617dc6fd5a6612-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:24 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:24 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0Mts4oMJpw%2B62oBvpSg4LnGGz09ehwaH3fQ9tvx53guEXrWdwONi%2FY4vea979bF5WwsvI6KsBvcx6m3dntv38HXub9L9RkYw%2BZGAVX%2FpqLpmMdM9YUdC5ogzYT2Vi%2BWankHRgZwbC0nOGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617dcdd815b94a-AMS
alt-svc: h3=":443"; ma=86400
DNS

whatismyip.everdot.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

whatismyip.everdot.org

IN A

Response
DNS

whatismyipaddress.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

whatismyipaddress.com

IN A

Response

whatismyipaddress.com

IN A

104.16.155.36

whatismyipaddress.com

IN A

104.16.154.36
GET

http://whatismyipaddress.com/

pmwdfn.exe

Remote address:

104.16.155.36:80

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 403 Forbidden

Date: Tue, 14 Nov 2023 18:59:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: max-age=15
Expires: Tue, 14 Nov 2023 18:59:41 GMT
Set-Cookie: __cf_bm=PCed80FKvmgrli34VIUrE6laC6eulp7oF7NGaHtAg.Y-1699988366-0-AY5s3LCQAU98ig3LodV+RP0rir8mk8o6HRYUJ74MLKE7KFfRoa2Od74/pZ5DU/QeOcZeVgOYJ7lZbahos5xpZY0=; path=/; expires=Tue, 14-Nov-23 19:29:26 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 82617ddb6e860e33-AMS
alt-svc: h3=":443"; ma=86400
DNS

36.155.16.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.155.16.104.in-addr.arpa

IN PTR

Response
DNS

www.whatismyip.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

www.whatismyip.com

IN A

Response

www.whatismyip.com

IN A

172.67.189.152

www.whatismyip.com

IN A

104.21.89.158
GET

http://www.whatismyip.com/

pmwdfn.exe

Remote address:

172.67.189.152:80

Request

GET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:27 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:27 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BtWR2F2dgyVGPkyWCsaVZMgvs9ZVppEh%2FzBvsuP%2BrgapgWncHnX79K2oMcKjdcEUdvMnQPfRxah8yDon4nRKfCr5%2B%2FRU%2FAwtglnYQzblBW6AoOlN7c5wFZnw8TlVm8QPCuBE8A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 82617de28d8466f0-AMS
alt-svc: h3=":443"; ma=86400
DNS

152.189.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

152.189.67.172.in-addr.arpa

IN PTR

Response
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:29 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:29 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=j47HsVWuAOHCtHbnSj3QFilGUNnr0i95FlLQp3uec5OzwQfT4fsYV6Q8rulxQjLH9rwhi72pvdiUauExRluSl574t%2BNEA0idZmcEjQARW12QFcaMQZEIALT0fnQj0f%2FyGkLRfnF%2FhiWKGg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617defbe725c4b-AMS
alt-svc: h3=":443"; ma=86400
GET

http://whatismyipaddress.com/

pmwdfn.exe

Remote address:

104.16.155.36:80

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 403 Forbidden

Date: Tue, 14 Nov 2023 18:59:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: max-age=15
Expires: Tue, 14 Nov 2023 18:59:45 GMT
Set-Cookie: __cf_bm=acYt6_sL262aldDujIcA4Ymk0gr03pdtGE.l5.M5HhU-1699988370-0-AbBUBRR3dGJRhrTgXNCfjw/u4jmo+Kkv2jQ2aTKoLmZy5TDGBUMVwQXIOcAt4Y5fhWV/c7yJ6JprgnhTexFK57Q=; path=/; expires=Tue, 14-Nov-23 19:29:30 GMT; domain=.whatismyipaddress.com; HttpOnly; SameSite=None
Server: cloudflare
CF-RAY: 82617df6ac2cb97a-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.whatismyip.com/

pmwdfn.exe

Remote address:

172.67.189.152:80

Request

GET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:32 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:32 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2z4tQRnKcCCm4X%2BE6tsSWyOp3hFFsPNcGYEnZ9c%2FGkTaZ%2BpDrUwZo%2BAM0jOKUTQNOzAOlJDmyzd4K6Bj%2F4n7SVpW1ZeHAIboBVgDtiOUzjzeNLqS4MiqqSmbQBAPhS3MwVAOXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 82617dfd7c8d0e86-AMS
alt-svc: h3=":443"; ma=86400
DNS

whatismyip.everdot.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

whatismyip.everdot.org

IN A

Response
GET

http://www.whatismyip.com/

pmwdfn.exe

Remote address:

172.67.189.152:80

Request

GET / HTTP/1.1
Host: www.whatismyip.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:34 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:34 GMT
Location: https://www.whatismyip.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zGXJp8KOxyXYPgnyGUCZoznQwAJUnuVe2p6UbaX9QOuFFGJbEgZhAmEa2GOoSq0cdc6iniZSqdkKvnfb43dA17V8fHKTPU9jtivS8cjKM1E2hthG%2FP7fVX4%2Bc81XuUvjE3%2F%2FNQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 82617e0add2b0b54-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:35 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:35 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=k%2BW0fz2yU1JcV7%2F1GKg7KbtISVpPFjfRLfL5wBE1YkvCY8Avu4IPuAzb3etiJsqy3KIR5oRWk6D2FWkBjEFy7OlrWRM6iGliK%2B0Az7WZngU8yp10cWy4BWj70ja5T6BDNnp3sgw2C5lBiw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617e11cfe7b8b4-AMS
alt-svc: h3=":443"; ma=86400
GET

http://www.showmyipaddress.com/

pmwdfn.exe

Remote address:

188.114.96.0:80

Request

GET / HTTP/1.1
Host: www.showmyipaddress.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 14 Nov 2023 18:59:36 GMT
Transfer-Encoding: chunked
Connection: close
Cache-Control: max-age=3600
Expires: Tue, 14 Nov 2023 19:59:36 GMT
Location: https://www.showmyipaddress.com/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DpFliSxVwk8ieBRE2Ps7L9WjBb5RByRj9ObjTUjbMW26qJ1ygfKrULx1iujH0E%2BYBXPjIIzSV0e9DGUqOBegQ5m28GJGf3TsJpeSahOL%2BAqDvt6%2FKgs0qVNzF0cj8IFO2EjohIYhVPX7lg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82617e189f6a66c3-AMS
alt-svc: h3=":443"; ma=86400
DNS

whatismyip.everdot.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

whatismyip.everdot.org

IN A

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

www.bbc.co.uk

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

www.bbc.co.uk

IN A

Response

www.bbc.co.uk

IN CNAME

www.bbc.co.uk.pri.bbc.co.uk

www.bbc.co.uk.pri.bbc.co.uk

IN CNAME

bbc.map.fastly.net

bbc.map.fastly.net

IN A

151.101.0.81

bbc.map.fastly.net

IN A

151.101.64.81

bbc.map.fastly.net

IN A

151.101.128.81

bbc.map.fastly.net

IN A

151.101.192.81
GET

http://www.bbc.co.uk/

pmwdfn.exe

Remote address:

151.101.0.81:80

Request

GET / HTTP/1.1
Host: www.bbc.co.uk
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 302 Found

Connection: close
Content-Length: 0
Content-Type: text/plain
cache-control: public, stale-while-revalidate=10, max-age=60
location: https://www.bbc.co.uk/
req-svc-chain: FASTLY,GTM,BELFRAGE
via: 1.1 BBC-GTM, 1.1 Belfrage, 1.1 varnish
x-bbc-no-scheme-rewrite: 1
Origin-Agent-Cluster: ?0
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":0.25}
X-BBC-Edge-Cache-Status: HIT
report-to: {"group":"default","max_age":2592000,"endpoints":[{"url":"https://default.bbc-reporting-api.app/report-endpoint","priority":1}],"include_subdomains":true}
Server: BBC-GTM
Strict-Transport-Security: max-age=31536000; preload
Permissions-Policy: browsing-topics=(), join-ad-interest-group=(), run-ad-auction=()
Fastly-Restarts: 1
Accept-Ranges: bytes
Date: Tue, 14 Nov 2023 18:59:40 GMT
X-Fastly-Cache-Status: HIT-CLUSTER
X-Served-By: cache-ams21048-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1699988381.641365,VS0,VE3
X-Fastly-Pre-Flight-Cache: MISS, HIT
X-Fastly-Pre-Flight-Cache-Status: HIT-CLUSTER
X-cache-age: 50
Vary: x-bbc-edge-scheme
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
DNS

eynqhez.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

eynqhez.info

IN A

Response
DNS

iecnlp.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

iecnlp.info

IN A

Response
DNS

dbhveu.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

dbhveu.net

IN A

Response
DNS

pzhmflzqyya.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

pzhmflzqyya.info

IN A

Response
DNS

nbbitaxblp.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

nbbitaxblp.net

IN A

Response
DNS

ptlcxcnulj.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

ptlcxcnulj.net

IN A

Response
DNS

seqmqe.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

seqmqe.org

IN A

Response
DNS

seqmqe.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

seqmqe.org

IN A

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

81.0.101.151.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.0.101.151.in-addr.arpa

IN PTR

Response
DNS

soyagydjasox.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

soyagydjasox.info

IN A

Response
DNS

soyagydjasox.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

soyagydjasox.info

IN A

Response
DNS

uuygasyqqo.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

uuygasyqqo.org

IN A

Response
DNS

uuygasyqqo.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

uuygasyqqo.org

IN A

Response
DNS

yoisamcgesae.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

yoisamcgesae.org

IN A

Response

yoisamcgesae.org

IN A

162.249.65.164
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301334_1WMRLWCL1PT75T92E&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301334_1WMRLWCL1PT75T92E&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 371643
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DF1FF91514794543963C31CA32B26938 Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:45Z
date: Tue, 14 Nov 2023 18:59:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 477094
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C4E0CF42F97242259524D746EAA1524D Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:45Z
date: Tue, 14 Nov 2023 18:59:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301143_11K66B0WIWZ9F4H58&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301143_11K66B0WIWZ9F4H58&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 273239
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 05455FF29AC44D1AA396E09D5EF4C24D Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:45Z
date: Tue, 14 Nov 2023 18:59:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317300901_1GFSIP06IOS6OQIXA&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317300901_1GFSIP06IOS6OQIXA&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 410097
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C3271254211E4F3CB0571D3DEAB7527E Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:45Z
date: Tue, 14 Nov 2023 18:59:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301552_1IFO1SSFDEAP7NXRO&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301552_1IFO1SSFDEAP7NXRO&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 297105
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3F073E4A0F22457CB7EC0BBCFADAF85F Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:45Z
date: Tue, 14 Nov 2023 18:59:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 541005
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 627AF0678AD5457FADB0D4BADB07E07F Ref B: BRU30EDGE0912 Ref C: 2023-11-14T18:59:46Z
date: Tue, 14 Nov 2023 18:59:45 GMT
DNS

eoicimocciok.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

eoicimocciok.org

IN A

Response
DNS

eoicimocciok.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

eoicimocciok.org

IN A

Response
DNS

fdyvfg.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

fdyvfg.info

IN A

Response
DNS

iqqkusoaic.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

iqqkusoaic.org

IN A

Response
DNS

sowgiqqeii.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

sowgiqqeii.com

IN A

Response
DNS

acuijgjazzm.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

acuijgjazzm.info

IN A

Response
DNS

bwqnkwbwd.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

bwqnkwbwd.net

IN A

Response
DNS

bwqnkwbwd.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

bwqnkwbwd.net

IN A

Response
DNS

laamirccwet.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

laamirccwet.org

IN A

Response
DNS

laamirccwet.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

laamirccwet.org

IN A

Response
DNS

ugigce.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

ugigce.org

IN A

Response
DNS

ugigce.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

ugigce.org

IN A

Response
DNS

esrgkgk.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

esrgkgk.net

IN A

Response
DNS

esrgkgk.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

esrgkgk.net

IN A

Response
DNS

vohazft.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

vohazft.info

IN A

Response
DNS

vohazft.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

vohazft.info

IN A

Response
DNS

iwuuqg.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

iwuuqg.org

IN A

Response
DNS

iwuuqg.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

iwuuqg.org

IN A

Response
DNS

hwfnco.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

hwfnco.info

IN A

Response
DNS

hwfnco.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

hwfnco.info

IN A

Response
DNS

ntrcxbanqofd.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

ntrcxbanqofd.info

IN A

Response
DNS

ntrcxbanqofd.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

ntrcxbanqofd.info

IN A

Response
DNS

nymzcev.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

nymzcev.info

IN A

Response
DNS

nymzcev.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

nymzcev.info

IN A

Response
DNS

onelrkn.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

onelrkn.info

IN A

Response
DNS

hyzniuu.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

hyzniuu.net

IN A

Response
DNS

hyzniuu.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

hyzniuu.net

IN A

Response
DNS

nqbmoj.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

nqbmoj.net

IN A

Response
DNS

nqbmoj.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

nqbmoj.net

IN A

Response
DNS

tadbtwa.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

tadbtwa.org

IN A

Response
DNS

tadbtwa.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

tadbtwa.org

IN A

Response
DNS

runizwxnl.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

runizwxnl.info

IN A

Response
DNS

runizwxnl.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

runizwxnl.info

IN A

Response
DNS

yeycwygyus.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

yeycwygyus.com

IN A

Response
DNS

yeycwygyus.com

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

yeycwygyus.com

IN A

Response
DNS

rjmwhkscnyc.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

rjmwhkscnyc.org

IN A

Response

rjmwhkscnyc.org

IN A

85.214.228.140
DNS

rjmwhkscnyc.org

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

rjmwhkscnyc.org

IN A

Response

rjmwhkscnyc.org

IN A

85.214.228.140
GET

http://rjmwhkscnyc.org/

pmwdfn.exe

Remote address:

85.214.228.140:80

Request

GET / HTTP/1.1
Host: rjmwhkscnyc.org
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Connection: close

Response

HTTP/1.1 404 Not Found

Server: nginx/1.25.3
Date: Tue, 14 Nov 2023 18:59:50 GMT
Transfer-Encoding: chunked
Connection: close
DNS

euzrdmek.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

euzrdmek.net

IN A

Response
DNS

euzrdmek.net

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

euzrdmek.net

IN A

Response
DNS

agnmrpdqr.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

agnmrpdqr.info

IN A

Response
DNS

agnmrpdqr.info

pmwdfn.exe

Remote address:

8.8.8.8:53

Request

agnmrpdqr.info

IN A

Response
DNS

140.228.214.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.228.214.85.in-addr.arpa

IN PTR

Response

140.228.214.85.in-addr.arpa

IN PTR

h2758763stratoservernet
DNS

140.228.214.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.228.214.85.in-addr.arpa

IN PTR

Response

140.228.214.85.in-addr.arpa

IN PTR

h2758763stratoservernet

188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
827 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
829 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
823 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
831 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
104.16.155.36:80

http://whatismyipaddress.com/

http

pmwdfn.exe

457 B
1.4kB
6
5

HTTP Request

GET http://whatismyipaddress.com/

HTTP Response

403
172.67.189.152:80

http://www.whatismyip.com/

http

pmwdfn.exe

408 B
851 B
5
4

HTTP Request

GET http://www.whatismyip.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
827 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
104.16.155.36:80

http://whatismyipaddress.com/

http

pmwdfn.exe

457 B
1.4kB
6
5

HTTP Request

GET http://whatismyipaddress.com/

HTTP Response

403
172.67.189.152:80

http://www.whatismyip.com/

http

pmwdfn.exe

408 B
851 B
5
4

HTTP Request

GET http://www.whatismyip.com/

HTTP Response

301
172.67.189.152:80

http://www.whatismyip.com/

http

pmwdfn.exe

408 B
849 B
5
4

HTTP Request

GET http://www.whatismyip.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
827 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
188.114.96.0:80

http://www.showmyipaddress.com/

http

pmwdfn.exe

413 B
827 B
5
4

HTTP Request

GET http://www.showmyipaddress.com/

HTTP Response

301
151.101.0.81:80

http://www.bbc.co.uk/

http

pmwdfn.exe

403 B
1.4kB
5
5

HTTP Request

GET http://www.bbc.co.uk/

HTTP Response

302
162.249.65.164:80

yoisamcgesae.org

pmwdfn.exe

260 B
200 B
5
5
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4

tls, http2

88.4kB
2.5MB
1783
1779

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301334_1WMRLWCL1PT75T92E&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301291_1H8FN9XYY8JWTIM5Q&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301143_11K66B0WIWZ9F4H58&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317300901_1GFSIP06IOS6OQIXA&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301552_1IFO1SSFDEAP7NXRO&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301700_18ZUY5V0A74HOX1SZ&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
85.214.228.140:80

http://rjmwhkscnyc.org/

http

pmwdfn.exe

451 B
349 B
6
5

HTTP Request

GET http://rjmwhkscnyc.org/

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

126.20.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.20.238.8.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

whatismyip.everdot.org

dns

pmwdfn.exe

68 B
116 B
1
1

DNS Request

whatismyip.everdot.org
8.8.8.8:53

www.whatismyip.ca

dns

pmwdfn.exe

63 B
130 B
1
1

DNS Request

www.whatismyip.ca
8.8.8.8:53

www.showmyipaddress.com

dns

pmwdfn.exe

69 B
101 B
1
1

DNS Request

www.showmyipaddress.com

DNS Response

188.114.96.0

188.114.97.0
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

0.96.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.96.114.188.in-addr.arpa
8.8.8.8:53

whatismyip.everdot.org

dns

pmwdfn.exe

68 B
116 B
1
1

DNS Request

whatismyip.everdot.org
8.8.8.8:53

whatismyipaddress.com

dns

pmwdfn.exe

67 B
99 B
1
1

DNS Request

whatismyipaddress.com

DNS Response

104.16.155.36

104.16.154.36
8.8.8.8:53

36.155.16.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

36.155.16.104.in-addr.arpa
8.8.8.8:53

www.whatismyip.com

dns

pmwdfn.exe

64 B
96 B
1
1

DNS Request

www.whatismyip.com

DNS Response

172.67.189.152

104.21.89.158
8.8.8.8:53

152.189.67.172.in-addr.arpa

dns

73 B
135 B
1
1

DNS Request

152.189.67.172.in-addr.arpa
8.8.8.8:53

whatismyip.everdot.org

dns

pmwdfn.exe

68 B
116 B
1
1

DNS Request

whatismyip.everdot.org
8.8.8.8:53

whatismyip.everdot.org

dns

pmwdfn.exe

68 B
116 B
1
1

DNS Request

whatismyip.everdot.org
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

www.bbc.co.uk

dns

pmwdfn.exe

59 B
187 B
1
1

DNS Request

www.bbc.co.uk

DNS Response

151.101.0.81

151.101.64.81

151.101.128.81

151.101.192.81
8.8.8.8:53

eynqhez.info

dns

pmwdfn.exe

58 B
137 B
1
1

DNS Request

eynqhez.info
8.8.8.8:53

iecnlp.info

dns

pmwdfn.exe

57 B
136 B
1
1

DNS Request

iecnlp.info
8.8.8.8:53

dbhveu.net

dns

pmwdfn.exe

56 B
129 B
1
1

DNS Request

dbhveu.net
8.8.8.8:53

pzhmflzqyya.info

dns

pmwdfn.exe

62 B
141 B
1
1

DNS Request

pzhmflzqyya.info
8.8.8.8:53

nbbitaxblp.net

dns

pmwdfn.exe

60 B
133 B
1
1

DNS Request

nbbitaxblp.net
8.8.8.8:53

ptlcxcnulj.net

dns

pmwdfn.exe

60 B
133 B
1
1

DNS Request

ptlcxcnulj.net
8.8.8.8:53

seqmqe.org

dns

pmwdfn.exe

112 B
276 B
2
2

DNS Request

seqmqe.org

DNS Request

seqmqe.org
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

81.0.101.151.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

81.0.101.151.in-addr.arpa
8.8.8.8:53

soyagydjasox.info

dns

pmwdfn.exe

126 B
284 B
2
2

DNS Request

soyagydjasox.info

DNS Request

soyagydjasox.info
8.8.8.8:53

uuygasyqqo.org

dns

pmwdfn.exe

120 B
284 B
2
2

DNS Request

uuygasyqqo.org

DNS Request

uuygasyqqo.org
8.8.8.8:53

yoisamcgesae.org

dns

pmwdfn.exe

62 B
78 B
1
1

DNS Request

yoisamcgesae.org

DNS Response

162.249.65.164
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

eoicimocciok.org

dns

pmwdfn.exe

124 B
288 B
2
2

DNS Request

eoicimocciok.org

DNS Request

eoicimocciok.org
8.8.8.8:53

fdyvfg.info

dns

pmwdfn.exe

57 B
136 B
1
1

DNS Request

fdyvfg.info
8.8.8.8:53

iqqkusoaic.org

dns

pmwdfn.exe

60 B
142 B
1
1

DNS Request

iqqkusoaic.org
8.8.8.8:53

sowgiqqeii.com

dns

pmwdfn.exe

60 B
133 B
1
1

DNS Request

sowgiqqeii.com
8.8.8.8:53

acuijgjazzm.info

dns

pmwdfn.exe

62 B
141 B
1
1

DNS Request

acuijgjazzm.info
8.8.8.8:53

bwqnkwbwd.net

dns

pmwdfn.exe

118 B
264 B
2
2

DNS Request

bwqnkwbwd.net

DNS Request

bwqnkwbwd.net
8.8.8.8:53

laamirccwet.org

dns

pmwdfn.exe

122 B
286 B
2
2

DNS Request

laamirccwet.org

DNS Request

laamirccwet.org
8.8.8.8:53

ugigce.org

dns

pmwdfn.exe

112 B
276 B
2
2

DNS Request

ugigce.org

DNS Request

ugigce.org
8.8.8.8:53

esrgkgk.net

dns

pmwdfn.exe

114 B
260 B
2
2

DNS Request

esrgkgk.net

DNS Request

esrgkgk.net
8.8.8.8:53

vohazft.info

dns

pmwdfn.exe

116 B
274 B
2
2

DNS Request

vohazft.info

DNS Request

vohazft.info
8.8.8.8:53

iwuuqg.org

dns

pmwdfn.exe

112 B
276 B
2
2

DNS Request

iwuuqg.org

DNS Request

iwuuqg.org
8.8.8.8:53

hwfnco.info

dns

pmwdfn.exe

114 B
272 B
2
2

DNS Request

hwfnco.info

DNS Request

hwfnco.info
8.8.8.8:53

ntrcxbanqofd.info

dns

pmwdfn.exe

126 B
284 B
2
2

DNS Request

ntrcxbanqofd.info

DNS Request

ntrcxbanqofd.info
8.8.8.8:53

nymzcev.info

dns

pmwdfn.exe

116 B
274 B
2
2

DNS Request

nymzcev.info

DNS Request

nymzcev.info
8.8.8.8:53

onelrkn.info

dns

pmwdfn.exe

58 B
137 B
1
1

DNS Request

onelrkn.info
8.8.8.8:53

hyzniuu.net

dns

pmwdfn.exe

114 B
260 B
2
2

DNS Request

hyzniuu.net

DNS Request

hyzniuu.net
8.8.8.8:53

nqbmoj.net

dns

pmwdfn.exe

112 B
258 B
2
2

DNS Request

nqbmoj.net

DNS Request

nqbmoj.net
8.8.8.8:53

tadbtwa.org

dns

pmwdfn.exe

114 B
278 B
2
2

DNS Request

tadbtwa.org

DNS Request

tadbtwa.org
8.8.8.8:53

runizwxnl.info

dns

pmwdfn.exe

120 B
278 B
2
2

DNS Request

runizwxnl.info

DNS Request

runizwxnl.info
8.8.8.8:53

yeycwygyus.com

dns

pmwdfn.exe

120 B
266 B
2
2

DNS Request

yeycwygyus.com

DNS Request

yeycwygyus.com
8.8.8.8:53

rjmwhkscnyc.org

dns

pmwdfn.exe

122 B
154 B
2
2

DNS Request

rjmwhkscnyc.org

DNS Request

rjmwhkscnyc.org

DNS Response

85.214.228.140

DNS Response

85.214.228.140
8.8.8.8:53

euzrdmek.net

dns

pmwdfn.exe

116 B
262 B
2
2

DNS Request

euzrdmek.net

DNS Request

euzrdmek.net
8.8.8.8:53

agnmrpdqr.info

dns

pmwdfn.exe

120 B
278 B
2
2

DNS Request

agnmrpdqr.info

DNS Request

agnmrpdqr.info
8.8.8.8:53

140.228.214.85.in-addr.arpa

dns

146 B
224 B
2
2

DNS Request

140.228.214.85.in-addr.arpa

DNS Request

140.228.214.85.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec

Filesize
280B

MD5
66e03b7eb8270b4a886d8e7670987190

SHA1
170bf0876c15cfe6a12ea248434fe808ff6c47d3

SHA256
000dd99c29926cb491a5f7367807a36334765db860c0f50aa03812c5f27356ad

SHA512
16b45b35a3a555a57bd292edae6375bf6a6d23b4ed9d06ccb4000da522ab48a17fe87fd432c72a601b29788193d5e15e1ecedf541f986313bb53269b18b0ba86

Download Submit
C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec

Filesize
280B

MD5
8dbd54c120ea886e81ba762ac42cbb99

SHA1
131013053099e5140fa1490542f4867c9ab4fadf

SHA256
901b55f477d6d6cc30f7bf5179487060fdec692eb94ec86faca8671be74c4130

SHA512
8fc22ca318554167982a9f77ab5cda13f4d03420d8cef5cdcf047dcfd1c2dd0f70c4fd1981e1b41f92c2f11f32c3e9df2ff2b9b70ca0ccdb885e2e34ef5da00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe

Filesize
7.7MB

MD5
e8eafc24260030cf89f7c351264cddff

SHA1
9aebb85d73b1684946bf0de78eed67834ff83200

SHA256
66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

SHA512
317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe

Filesize
7.7MB

MD5
e8eafc24260030cf89f7c351264cddff

SHA1
9aebb85d73b1684946bf0de78eed67834ff83200

SHA256
66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

SHA512
317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe

Filesize
7.7MB

MD5
e8eafc24260030cf89f7c351264cddff

SHA1
9aebb85d73b1684946bf0de78eed67834ff83200

SHA256
66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

SHA512
317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe

Filesize
7.7MB

MD5
e8eafc24260030cf89f7c351264cddff

SHA1
9aebb85d73b1684946bf0de78eed67834ff83200

SHA256
66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

SHA512
317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

Download Submit
C:\Users\Admin\AppData\Local\fwabxzeczzsqpfbsaufwab.zec

Filesize
280B

MD5
8338ba07bd42fae194f2b41270bcdabf

SHA1
343e40eb383a25953096318018356893158c529d

SHA256
cce8c5dd154abef81552f9de25ddc3fd2f126af109d815dd30827e3d2ff270e9

SHA512
360bc4ba5f1cd72f0ed63dc3d7297d5dfa7a1637f204b2c1924119e79606a01fd72c0328b9a4e0aa31cc5552354ff84bbe2272e5fa8d52d44e3a95e3eda949a9

Download Submit
C:\Users\Admin\AppData\Local\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc

Filesize
4KB

MD5
1cd78487476c771b7e9008ed124b56a2

SHA1
d41b09d438496bc8bc38b5e6b90af38184c616a2

SHA256
e4d0b4cf96f37569166cab6ce12e52bca71e15ed9d28e8195e654fddb569ddb1

SHA512
07698dbc9694e138c388362e066172a96b3dee4c11fa963f0dac048df7da6f786d4c6e2a0e594a3dec0d8f2a701c4bdf752b0a1d90a3a444eee77b1f02c41763

Download Submit